- Daily - CERT.at

Tageszusammenfassung - 21.07.2021
by Daily end-of-shift report 21 Jul '21

21 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-07-2021 18:00 − Mittwoch 21-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trügerische Gewinnversprechen ∗∗∗ --------------------------------------------- Der Onlinehandel mit Finanzinstrumenten wird bei Anlegern immer beliebter. Diesen Trend machen sich Betrüger zunutze. Sie versprechen hohe Gewinne mit betrügerischen Cybertrading-Plattformen. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=4661724A4D466861696B4D3D ∗∗∗ XLoader malware steals logins from macOS and Windows systems ∗∗∗ --------------------------------------------- A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xloader-malware-steals-login… ∗∗∗ NPM package steals Chrome passwords on Windows via recovery tool ∗∗∗ --------------------------------------------- New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-package-steals-chrome-pa… ∗∗∗ Betrügerische E-Mail im Namen der Raiffeisen Bank im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen finden derzeit ein vermeintliches E-Mail der Raiffeisen Bank in ihrem Posteingang. Darin wird behauptet, dass aufgrund aktueller Betrugsversuche ein neues Sicherheitssystem notwendig sei. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mail-im-namen-der-r… ∗∗∗ CVE-2021-31969: Underflowing in the Clouds ∗∗∗ --------------------------------------------- You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native API known as the Cloud Filter API. --------------------------------------------- https://www.thezdi.com/blog/2021/7/19/cve-2021-31969-underflowing-in-the-cl… ∗∗∗ New Attacks on Kubernetes via Misconfigured Argo Workflows ∗∗∗ --------------------------------------------- Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. --------------------------------------------- https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Nasty Linux Systemd Security Bug Revealed ∗∗∗ --------------------------------------------- Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. --------------------------------------------- https://it.slashdot.org/story/21/07/20/211230/nasty-linux-systemd-security-… ∗∗∗ Vulnerability in ON24 Plugin for macOS Shares More Than Just Your Screen ∗∗∗ --------------------------------------------- ON24 presenter mode requires you to install a plugin that is used to share your screen. For the macOS app (DesktopScreenShare.app), the plugin is started automatically once a user logs on. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ HiveNightmare: Nutzer können die Windows-Passwort-Datenbank auslesen ∗∗∗ --------------------------------------------- Fehlerhafte Zugriffsrechte verursachen eine Sicherheitslücke in Windows 10 und 11. Einen Patch gibt es noch nicht – wir zeigen aber erste Workarounds. --------------------------------------------- https://heise.de/-6143746 ∗∗∗ Sicherheitsupdates: Adobe patcht Photoshop & Co. außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten Computer, auf denen unter anderem Adobe After Effects oder Prelude laufen, mit Schadcode attackieren. --------------------------------------------- https://heise.de/-6143780 ∗∗∗ Root-Kernel-Lücke bedroht viele Linux-Distributionen ∗∗∗ --------------------------------------------- Sicherheitsforscher demonstrieren erfolgreiche Attacken auf Debian, Fedora und Ubuntu. Im Anschluss hatten sie Root-Rechte. Patches schaffen Abhilfe. --------------------------------------------- https://heise.de/-6144023 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc,[...] --------------------------------------------- https://lwn.net/Articles/863861/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari 14.1.2 and iOS 14.7. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/apple-releases-se… ∗∗∗ Malware Targeting Pulse Secure Devices ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting… ∗∗∗ VU#914124: Arcadyan-based routers and modems vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/914124 ∗∗∗ Dell OpenManage Enterprise Hardcoded Credentails / Privilege Escalation / Deserialization ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021070121 ∗∗∗ Security Bulletin: Multiple vulnerabilities in F5 NGINX Controller affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nvidia GPU Display Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0769 ∗∗∗ PuTTY: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0790 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-201-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2021
by Daily end-of-shift report 20 Jul '21

20 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-07-2021 18:00 − Dienstag 20-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New MosaicLoader malware targets software pirates via online ads ∗∗∗ --------------------------------------------- An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mosaicloader-malware-tar… ∗∗∗ Summer of SAM - incorrect permissions on Windows 10/11 hives, (Tue, Jul 20th) ∗∗∗ --------------------------------------------- If you opened Twitter today you were probably flooded with news about the latest security issue with Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/27652 ∗∗∗ 6 typische Phishing-Attacken ∗∗∗ --------------------------------------------- Phishing, Smishing, Vishing - kennen Sie den Unterschied? --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware ∗∗∗ --------------------------------------------- The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771). --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-fro… ∗∗∗ Don’t Wanna Pay Ransom Gangs? Test Your Backups. ∗∗∗ --------------------------------------------- Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only theyd had proper data backups. --------------------------------------------- https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-b… ∗∗∗ Vorsicht vor gefälschtem „Voicemail“ SMS ∗∗∗ --------------------------------------------- „Sie haben eine neue Voicemail“: Dieses lästige Fake-SMS mit einem Link zu einer angeblichen Sprachnachricht erhalten momentan unzählige HandynutzerInnen. Klicken Sie keinesfalls auf den Link. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-voicemail-… ∗∗∗ AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department ∗∗∗ --------------------------------------------- This Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-200a ∗∗∗ Significant Historical Cyber-Intrusion Campaigns Targeting ICS ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-histo… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories for 2021-07-20 ∗∗∗ --------------------------------------------- TYPO3-CORE-SA-2021-009 - TYPO3-CORE-SA-2021-012 --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Forensischer Bericht: iMessage-Lücke für Pegasus Spyware wird weiterhin genutzt ∗∗∗ --------------------------------------------- Amnesty International geht davon aus, dass eine iMessage-Lücke zur Installation von Spyware der Überwachungsfirma NSO Group bis heute ausgenutzt wird. --------------------------------------------- https://heise.de/-6141467 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libjdom1-java, rabbitmq-server, and systemd), Fedora (glibc), Gentoo (libpano13, libslirp, mpv, pjproject, pycharm-community, and rpm), Mageia (glibc, libuv, mbedtls, rvxt-unicode, mxrvt, eterm, tomcat, and zziplib), openSUSE (dbus-1, firefox, go1.15, lasso, nodejs10, nodejs12, nodejs14, and sqlite3), SUSE (go1.15), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/863617/ ∗∗∗ Oracle Releases July 2021 Critical Patch Update ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update for July 2021 to address 327 vulnerabilities across multiple products. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/oracle-releases-j… ∗∗∗ Hundreds of millions of HP, Xerox, and Samsung printers vulnerable to new bug ∗∗∗ --------------------------------------------- Security experts have found a severe vulnerability in a common printer driver used by HP, Xerox, and Samsung. --------------------------------------------- https://therecord.media/hundreds-of-millions-of-hp-xerox-and-samsung-printe… ∗∗∗ New Sequoia bug gives you root access on most Linux systems ∗∗∗ --------------------------------------------- Security auditing firm Qualys said today it discovered a new vulnerability in the Linux operating system that can grant attackers root access on most distros, such as Ubuntu, Debian, and Fedora. --------------------------------------------- https://therecord.media/new-sequoia-bug-gives-you-root-access-on-most-linux… ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht FortiManager und FortiAnalyzer ∗∗∗ --------------------------------------------- https://heise.de/-6142498 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems used by IBM Cloud Pak System (Jan2021 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale could allow an authenticated user to gain elevated privileges (CVE-2020-9492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Pak System (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerabilities in Docker affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-docker… ∗∗∗ Security Bulletin: Vulnerabilities in Python affect OS Image for RedHat bundled with Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: Watson Explorer is affected by Apache PDFBox vulnerabilities (CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-explorer-is-affect… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects Cloud Pak System (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in node.js and OpenSSL (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-670099.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2021
by Daily end-of-shift report 19 Jul '21

19 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-07-2021 18:00 − Montag 19-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Innenministerium warnt vor betrügerischen SMS ∗∗∗ --------------------------------------------- Es sind erneut Betrugs-SMS im Umlauf, wobei Menschen in Österreich immer wieder Benachrichtigungen mit Informationen zu einer verpassten Sprachnachricht erhalten. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=50783968547451414D42673D ∗∗∗ VU#131152: Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files ∗∗∗ --------------------------------------------- Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. --------------------------------------------- https://kb.cert.org/vuls/id/131152 ∗∗∗ Betrug per Whatsapp: "Ich hab mein Handy verloren, kannst du Geld überweisen?" ∗∗∗ --------------------------------------------- Mit vorgeblichen Hilferufen von Verwandten versuchen Trickbetrüger per Whatsapp, Menschen um ihr Geld zu bringen - oft mit Erfolg, sagt die Polizei. --------------------------------------------- https://www.golem.de/news/betrug-per-whatsapp-ich-hab-mein-handy-verloren-k… ∗∗∗ That iPhone WiFi crash bug is far worse than initially thought ∗∗∗ --------------------------------------------- An innocuous iPhone bug that could crash the WiFi service has turned out to be far worse than initially thought after mobile security firm ZecOps showed on Friday how the bug could be abused for remote code execution attacks. --------------------------------------------- https://therecord.media/that-iphone-wifi-crash-bug-is-far-worse-than-initia… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-815: Cisco WebEx Network Recording Player ARF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-815/ ∗∗∗ ZDI-21-876: (0Day) Advantech WebAccess/NMS DashBoardAction Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-876/ ∗∗∗ ZDI-21-879: (0Day) WSO2 API Manager JMX Use of Hard-coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of WSO2 API Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-879/ ∗∗∗ ZDI-21-877: (0Day) Autodesk Meshmixer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Meshmixer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-877/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, mbedtls, nextcloud, python-pillow, ruby, ruby2.6, ruby2.7, systemd, thunderbird, varnish, and vivaldi), Debian (thunderbird), Fedora (chromium, firefox, and linux-firmware), Gentoo (apache, commons-fileupload, dovecot, and mediawiki), openSUSE (firefox, fossil, go1.16, and icinga2), Oracle (firefox, kernel, and kernel-container), Red Hat (nettle), and SUSE (firefox and go1.16). --------------------------------------------- https://lwn.net/Articles/863453/ ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. --------------------------------------------- https://support.citrix.com/article/CTX319135 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE results in a low confidentiality impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Handlebars.js ( CVE-2019-19919, CVE-2021-32820) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM Security SOAR could allow a privileged user to import non-approved Python2 modules (CVE-2021-29780). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-a… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud Tier CVE-2021-21409 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in shell affects Power Hardware Management Console ( CVE-2021-29707). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-shell-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2021
by Daily end-of-shift report 16 Jul '21

16 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-07-2021 18:00 − Freitag 16-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warten auf Patches: Neue Drucker-Lücke in Windows entdeckt ∗∗∗ --------------------------------------------- Abermals könnten Angreifer Windows über eine Drucker-Schwachstelle attackieren und Schadcode ausführen. Bislang gibt es nur einen Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6140346 ∗∗∗ Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft ∗∗∗ --------------------------------------------- XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool --------------------------------------------- https://www.securityweek.com/vulnerabilities-etherpad-collaboration-tool-al… ∗∗∗ Introduction to ICS Security Part 2 ∗∗∗ --------------------------------------------- An introduction to the Purdue Enterprise Reference Architecture (PERA), additional reference models, and best practices for secure ICS architectures. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-2?msc=rss ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Intelligent Proximity SSL Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device (Version: 1.1 Description: Added fixed releases.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device that results in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the software cryptography module handles specific types of [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Schadcode-Lücken im Netzwerkbetriebssystem Junos OS geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten unter anderem Router und Switches von Juniper attackieren. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6140423 ∗∗∗ WordPress-Plugin: WooCommerce schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- WordPress hat nach dem Veröffentlichen des Patches ein automatisiertes Zwangsupdate veranlasst. Trotzdem könnten noch nicht alle Shops versorgt sein. --------------------------------------------- https://heise.de/-6140221 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040 ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-d-link.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Debian (firefox-esr), Fedora (linuxptp), Gentoo (commons-collections), Mageia (aom, firefox, python-django, thunderbird, and tpm2-tools), openSUSE (claws-mail, kernel, nodejs10, and nodejs14), Red Hat (nettle), Scientific Linux (firefox), SUSE (firefox, kernel, nodejs10, and nodejs14), and Ubuntu (libslirp and qemu). --------------------------------------------- https://lwn.net/Articles/863180/ ∗∗∗ Ypsomed mylife ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficiently Protected Credentials, Not Using an Unpredictable IV with CBC Mode, and Use of Hard-coded Credentials vulnerabilities in the Ypsomed mylife diabetes management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-196-01 ∗∗∗ Icinga: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0758 ∗∗∗ [webapps] Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50132 ∗∗∗ Security Bulletin: IBM i2 Analyze is affected by multiple DB2 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-is-affecte… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM DB2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses less secure methods for securing data at rest and in transit between hosts (CVE-2020-4980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-less… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud TierCVE-(2021-21295) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: 3RD PARTY IBM InfoSphere MDM Inspector – Cross Site Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-3rd-party-ibm-infosphere-… ∗∗∗ Security Bulletin: IBM Data Replication Support Tool Information Collection on Sybase Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-supp… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by IBM Java SDK Vulnerability (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects Collaboration and Deployment Services (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Vulnerabilities in IBM Java SDK (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Management Console Authentication Affected by Annonymous Binding (CVE-2020-4821) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-mana… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2021
by Daily end-of-shift report 15 Jul '21

15 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-07-2021 18:00 − Donnerstag 15-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Sicherheit: Immer mehr Zero-Day-Exploits bei Angriffen entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher verzeichnen immer mehr Angriffe, für die zuvor unbekannte Sicherheitslücken ausgenutzt werden. Das müsse jedoch kein schlechtes Zeichen sein, sagen die Forscher. --------------------------------------------- https://www.golem.de/news/it-sicherheit-immer-mehr-zero-day-exploits-bei-an… ∗∗∗ Attacken auf nicht mehr unterstützte Fernzugriff-Produkte von Sonicwall ∗∗∗ --------------------------------------------- Angreifer attackieren derzeit nicht mehr im Support befindliche Sonicwall Secure Mobile Access und Secure Remote Access mit Ransomware. --------------------------------------------- https://heise.de/-6139330 ∗∗∗ Grüner Pass – worauf Sie achten müssen! ∗∗∗ --------------------------------------------- Seit Kurzem kann man mit dem "Grünen Pass" digital nachweisen, dass man geimpft, getestet oder genesen ist. Aber was ist der "Grüne Pass" und wie kann dieser genutzt werden? Der "Grüne Pass" kann in unterschiedlichen Formen genutzt werden: ausgedruckt, via App, als Foto etc. Wir zeigen Ihnen, wie Sie zu diesem kommen und worauf Sie achten sollten. --------------------------------------------- https://www.watchlist-internet.at/news/gruener-pass-worauf-sie-achten-muess… ∗∗∗ Ransomware: Interpol warnt vor exponentiellen Wachstum ∗∗∗ --------------------------------------------- Cyberkriminelle agieren laut Interpol über Grenzen hinweg und bleiben dabei meist ungestraft. Die Polizeibehörde befürchtet ohne eine Zusammenarbeit zwischen Ermittlern und Privatwirtschaft eine "Ransomware-Pandemie". --------------------------------------------- https://www.zdnet.de/88395786/ransomware-interpol-warnt-vor-exponentiellen-… ∗∗∗ BazarBackdoor sneaks in through nested RAR and ZIP archives ∗∗∗ --------------------------------------------- Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-thro… ∗∗∗ Linux version of HelloKitty ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMwares ESXi virtual machine platform for maximum damage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-… ∗∗∗ USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th) ∗∗∗ --------------------------------------------- Phishing... at least they don't understand security any better than most kids. The latest example is a simple USPS phish. The lure is an email claiming that a package can not be delivered until I care to update my address. Urgency... and obvious action. They learned something in their phishing 101 class. --------------------------------------------- https://isc.sans.edu/diary/rss/27630 ∗∗∗ An Overview of Basic WordPress Hardening ∗∗∗ --------------------------------------------- We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress is no exception. While there are a plethora of different ways that site owners can lock down their website, in this post we are going to review the most basic hardening mechanisms that WordPress website owners can employ to improve their security. We will also review the pros and cons of these different tactics. --------------------------------------------- https://blog.sucuri.net/2021/07/basic-wordpress-hardening.html ∗∗∗ macOS: Bashed Apples of Shlayer and Bundlore ∗∗∗ --------------------------------------------- The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a plague of adware strains—Shlayer and Bundlore. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS. --------------------------------------------- https://www.uptycs.com/blog/macos-bashed-apples-of-shlayer-and-bundlore ∗∗∗ Gasket and MagicSocks Tools Install Mespinoza Ransomware ∗∗∗ --------------------------------------------- As cyber extortion flourishes, ransomware gangs are constantly changing tactics and business models to increase the chances that victims will pay increasingly large ransoms. As these criminal organizations become more sophisticated, they are increasingly taking on the appearance of professional enterprises. --------------------------------------------- https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mes… ∗∗∗ CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses ∗∗∗ --------------------------------------------- Original release date: July 14, 2021CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors. Compromises of MSPs—such as with the recent [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/14/cisa-insights-gui… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44846 - OpenSSL Security Advisory CVE-2021-23841 ∗∗∗ --------------------------------------------- On February 16 2021, the OpenSSL project announced a new security advisory. These issues may affect Pulse Secure product. [...] Pulse Secure is currently evaluating the following issues reported by OpenSSL: As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat am 14.7.2021 32 Security Advisories mit folgenden Severity Levels veröffentlicht: 12x Medium, 15x High, 5x Critical --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. R-SeeNet is the software system used for monitoring Advantech routers. [...] Talos is disclosing these vulnerabilities despite no official update from Advantech inside the 90-day deadline, as outlined in Cisco’s vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-r-see-net.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and php7.0), Fedora (firefox, mingw-djvulibre, and seamonkey), Gentoo (fluidsynth, openscad, and urllib3), openSUSE (ffmpeg, nodejs12, and sqlite3), Red Hat (firefox), and SUSE (ffmpeg, kernel, nodejs10, nodejs12, nodejs14, and sqlite3). --------------------------------------------- https://lwn.net/Articles/863001/ ∗∗∗ Lenovo Working on Patches for BIOS Vulnerabilities Affecting Many Laptops ∗∗∗ --------------------------------------------- Lenovo this week published information on three vulnerabilities that impact the BIOS of two of its desktop products and approximately 60 laptop and notebook models. --------------------------------------------- https://www.securityweek.com/lenovo-working-patches-bios-vulnerabilities-af… ∗∗∗ Kubernetes: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0751 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by vulnerability in Java SE (CVE-2020-14579)( CVE-2020-14578)(CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Compare and Comply for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-compare-and-co… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Apache Commons ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Eclipse Jetty ( CVE-2021-28163, CVE-2021-28165, CVE-2020-27223) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a specially-crafted sequence of serialized objects(CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2021
by Daily end-of-shift report 14 Jul '21

14 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-07-2021 18:00 − Mittwoch 14-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Updated Joker Malware Floods into Android Apps ∗∗∗ --------------------------------------------- The Joker premium billing-fraud malware is back on Google Play in a fresh onslaught, with an updated bag of tricks to evade scanners. --------------------------------------------- https://threatpost.com/updated-joker-malware-android-apps/167776/ ∗∗∗ Cybercrime-Bande REvil von der Bildfläche verschwunden ∗∗∗ --------------------------------------------- Die Kriminellen erpressten über 1000 Firmen, deren Daten sie mit dem Kaseya-Lieferketten-Angriff verschlüsselten. Jetzt sind ihre Server nicht mehr erreichbar. --------------------------------------------- https://heise.de/-6137119 ∗∗∗ Identitätsdiebstahl statt Darlehen: Schließen Sie keinen Kredit auf 1superkredit.com und kredit-united.com ab! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach einem Kredit? Dann stoßen Sie womöglich auf die Webseiten 1superkredit.com oder kredit-united.com. Zwei Webseiten, die einiges gemeinsam haben: Die Webseiten sehen sehr ähnlich aus, bewerben Kredite zu günstigen Bedingungen und hinter beiden Seiten stecken BetrügerInnen. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-darlehen-… ∗∗∗ CISA Releases Analysis of FY20 Risk and Vulnerability Assessments ∗∗∗ --------------------------------------------- CISA has released an analysis and infographic detailing the findings from the Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall warns of critical ransomware risk to SMA 100 VPN appliances ∗∗∗ --------------------------------------------- SonicWall has issued an "urgent security notice" warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Authentication bypass & Remote code Execution bei Schneider Electric EVlink Ladestationen ∗∗∗ --------------------------------------------- Schneider Electric Ladestationen für E-Autos der "EVlink" Serie sind von zwei Schwachstellen betroffen die es einem Angreifer ermöglichen das System zu übernehmen und dort beliebige Befehle auszuführen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Microsoft-Patchday: Angreifer nutzen vier Sicherheitslücken in Windows aus ∗∗∗ --------------------------------------------- Microsoft schließt unter anderem kritische Schadcode-Lücken in der Schutzlösung Windows Defender. Neben aktiven Angriffen könnten weitere Attacken bevorstehen. --------------------------------------------- https://heise.de/-6137050 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Bridge, Illustrator & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Adobe-Anwendungen. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6137110 ∗∗∗ Patchday SAP: Angreifer könnten unberechtigt auf NetWeaver zugreifen ∗∗∗ --------------------------------------------- Der Softwarehersteller SAP schließt mehrere Sicherheitslücken in seinem Portfolio. --------------------------------------------- https://heise.de/-6137467 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xstream), Debian (linuxptp), Fedora (glibc and krb5), Gentoo (pillow and thrift), Mageia (ffmpeg and libsolv), openSUSE (kernel and qemu), SUSE (kernel), and Ubuntu (php5, php7.0). --------------------------------------------- https://lwn.net/Articles/862855/ ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released a total of two dozen advisories covering roughly 100 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Bulletin: Unrestricted document type definition vulnerability affects IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unrestricted-document-typ… ∗∗∗ Security Bulletin: A security vulnerability was fixed in IBM Security Access Manager and IBM Security Verify Access Docker containers ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Verify Access Docker container ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache PDFBox Vulnerabilities Affect IBM Control Center (CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-vulnerabili… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0015.html ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-01 ∗∗∗ Schneider Electric SCADApack RTU, Modicon Controllers, and Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2021
by Daily end-of-shift report 13 Jul '21

13 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-07-2021 18:00 − Dienstag 13-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trickbot Activity Increases; new VNC Module On the Radar ∗∗∗ --------------------------------------------- Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. --------------------------------------------- https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-m… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf fewolio.de ∗∗∗ --------------------------------------------- fewolio.de ist eine unseriöse Buchungsplattform für luxuriöse Ferienhäuser in Deutschland. Die betrügerische Plattform sticht vor allem durch ihre günstigen Preise und kurzfristigen Verfügbarkeiten hervor. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheit: Neue Sicherheitslücke bei Solarwinds ∗∗∗ --------------------------------------------- Bei einer Dateiaustausch-Software von Solarwinds gab es Probleme. Ein Angreifer hat die Sicherheitslücke offenbar aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/it-sicherheit-neue-sicherheitsluecke-bei-solarwin… ∗∗∗ ModiPwn ∗∗∗ --------------------------------------------- Armis researchers discover a critical vulnerability in Schneider Electric Modicon PLCs. The vulnerability can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs. --------------------------------------------- https://www.armis.com/research/modipwn/ ∗∗∗ Siemens Security Advisories 2021-07-13 ∗∗∗ --------------------------------------------- Siemens hat 18 neue und 5 aktualisierte Security Advisories veröffentlicht. (CVSS Scores von 5.3 bis 9.8) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html ∗∗∗ Citrix Virtual Apps and Desktops Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX319750 ∗∗∗ Examining Crypto and Bypassing Authentication in Schneider Electric PLCs (M340/M580) ∗∗∗ --------------------------------------------- What you see in the picture above is similar to what you might see at a factory, plant, or inside a machine. At the core of it is Schneider Electric’s Modicon M340 programmable logic controller (PLC). --------------------------------------------- https://medium.com/tenable-techblog/examining-crypto-and-bypassing-authenti… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip). --------------------------------------------- https://lwn.net/Articles/862767/ ∗∗∗ Recently Patched ForgeRock AM Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- Government agencies in the United States and Australia warn organizations that a recently patched vulnerability affecting ForgeRock Access Management has been exploited in the wild. --------------------------------------------- https://www.securityweek.com/recently-patched-forgerock-am-vulnerability-ex… ∗∗∗ ZDI-21-786: Trend Micro Apex One Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-786/ ∗∗∗ ZDI-21-789: (0Day) GoPro Player MOV File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-789/ ∗∗∗ ZDI-21-788: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-788/ ∗∗∗ ZDI-21-787: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-787/ ∗∗∗ SAP Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0734 ∗∗∗ Security Bulletin: A vulnerability was found in Oniguruma 6.9.2 that would result in a NULL Pointer Dereference, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-found… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where insecure http communications is used ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-out-of-bounds-read-vul… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where an error message may disclose implementation details ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications v4.3 does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 which may allow a malicious attacker to obtain sensitive user information from memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerabilty has been found in x/test pacakge before 0.3.3 for Go that could lead to an infinite loop, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-has-been-f… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes the possibility of a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ VMSA-2021-0014 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0014.html ∗∗∗ glibc vulnerability CVE-2020-27618 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08641512 ∗∗∗ Apache Cassandra vulnerability CVE-2020-13946 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36212405 ∗∗∗ Apache Tomcat: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0733 ∗∗∗ Icinga: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0732 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/adobe-releases-se… ∗∗∗ Security Advisories SYSS-2021-022, SYSS-2021-023, SYSS-2021-025 und SYSS-2021-026 zu P&I-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/security-advisories-syss-2021-022-syss-202… ∗∗∗ SYSS-2021-020, SYSS-2021-021, SYSS-2021-027: Mehrere Schwachstellen in Element-IT HTTP Commander ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-020-syss-2021-021-syss-2021-027-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2021
by Daily end-of-shift report 12 Jul '21

12 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-07-2021 18:00 − Montag 12-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Conti Unpacked | Understanding Ransomware Development As a Response to Detection ∗∗∗ --------------------------------------------- Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. [...] In this report, we describe in unprecedented detail the rapid evolution of this ransomware and how it has adapted quickly to defenders’ attempts to detect and analyze it. --------------------------------------------- https://labs.sentinelone.com/conti-unpacked-understanding-ransomware-develo… ∗∗∗ Ransomware tracker: the latest figures ∗∗∗ --------------------------------------------- Ransomware attacks have been dominating the headlines, thanks to high-profile incidents against organizations including Colonial Pipeline, JBS, and Kaseya. But an analysis of attacks against certain sectors shows that not all industries are impacted to the same degree... --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 ∗∗∗ --------------------------------------------- UPDATE July 10, 2021: NOTE: This security vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 ∗∗∗ Jetzt patchen! Sicherheitspatch schließt REvil-Lücke in Kaseya VSA ∗∗∗ --------------------------------------------- Admins sollten die IT-Management-Software VSA von Kaseya zügig aktualisieren. Angreifer nutzen derzeit mehrere Sicherheitslücken aus. --------------------------------------------- https://heise.de/-6134473 ∗∗∗ SECURITY BULLETIN: Trend Micro Worry-Free Business Security Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services that resolve an incorrect permission assignment denial-of-service vulnerability. --------------------------------------------- https://success.trendmicro.com/solution/000286856 ∗∗∗ Security updates for Saturday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gitlab, nodejs, openexr, php, php7, rabbitmq, ruby-addressable, and spice), Fedora (suricata), Gentoo (binutils, docker, runc, and tor), Mageia (avahi, botan2, connman, gstreamer1.0-plugins, htmldoc, jhead, libcroco, libebml, libosinfo, openexr, php, php-smarty, pjproject, and python), openSUSE (apache2, bind, bouncycastle, ceph, containerd, docker, runc, cryptctl, curl, dovecot23, firefox, graphviz, gstreamer-plugins-bad, java-1_8_0-openj9, java-1_8_0-openjdk, libass, libjpeg-turbo, libopenmpt, libqt5-qtwebengine, libu2f-host, libwebp, libX11, lua53, lz4, nginx, ovmf, postgresql10, postgresql12, python-urllib3, qemu, roundcubemail, solo, thunderbird, ucode-intel, wireshark, and xterm), and SUSE (permissions). --------------------------------------------- https://lwn.net/Articles/862487/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (djvulibre), Gentoo (connman, gnuchess, openexr, and xen), openSUSE (arpwatch, avahi, dbus-1, dhcp, djvulibre, freeradius-server, fribidi, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, gupnp, hivex, icinga2, jdom2, jetty-minimal, kernel, kubevirt, libgcrypt, libnettle, libxml2, openexr, openscad, pam_radius, polkit, postgresql13, python-httplib2, python-py, python-rsa, qemu, redis, rubygem-actionpack-5_1, salt, snakeyaml, squid, tpm2.0-tools, and xstream), Red Hat (xstream), and SUSE (bluez, csync2, dbus-1, jdom2, postgresql13, redis, slurm_20_11, and xstream). --------------------------------------------- https://lwn.net/Articles/862673/ ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a cross-site request forgery vulnerability (CVE-2020-4938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Apache CXF Vulnerability Affects IBM Global Mailbox (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2020-27618) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Event Streams documentation for generating .p12 files incorrectly adds the CA key into the file (CVE-2021-29792) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-event-streams-documentati… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Tivoli Netcool/OMNIbus WebGUI (CVE-2021-29803, CVE-2021-29804, CVE-2021-29805, CVE-2021-29822) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by Mozilla Network Security Services (NSS) vulnerability (CVE-2020-25648) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Critical ForgeRock Access Management Vulnerability ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgeroc… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2021
by Daily end-of-shift report 09 Jul '21

09 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-07-2021 18:00 − Freitag 09-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kaseya warns of phishing campaign pushing fake security updates ∗∗∗ --------------------------------------------- Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaseya-warns-of-phishing-cam… ∗∗∗ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability ∗∗∗ --------------------------------------------- On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/07/08/clarified-guidance-for-cve-2… ∗∗∗ Hancitor tries XLL as initial malware file, (Fri, Jul 9th) ∗∗∗ --------------------------------------------- On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead. --------------------------------------------- https://isc.sans.edu/diary/rss/27618 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Business Process Automation ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Produkte Patches veröffentlicht, die mehrere Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-6133522 ∗∗∗ ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks ∗∗∗ --------------------------------------------- The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports. --------------------------------------------- https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-tech… ∗∗∗ CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict ∗∗∗ --------------------------------------------- In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-… ∗∗∗ Ransomwhere project wants to create a database of past ransomware payments ∗∗∗ --------------------------------------------- A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem. --------------------------------------------- https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd). --------------------------------------------- https://lwn.net/Articles/862299/ ∗∗∗ Rockwell Automation MicroLogix 1100 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation MicroLogix 1100. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01 ∗∗∗ MDT AutoSave ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, SQL Injection, Relative Path Traversal, Command Injection, Uncontrolled Search Path Element, Generation of Error Message Containing Sensitive Information, and Unrestricted Upload of File with Dangerous Type in MDT Software in MDT Autosave Products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-02 ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- BOSCH-SA-475180: The control systems SYNAX, Visual Motion, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contain PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published a security bulletin (1) about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets which may result in a denial of service condition or allow in worst case remote code execution. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-475180.html ∗∗∗ voidtools "Everything" vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN68971465/ ∗∗∗ Apache Pulsar vulnerability CVE-2021-22160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68146245 ∗∗∗ Apache vulnerability CVE-2021-30641 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13815051 ∗∗∗ Advisory: Denial of service vulnerability on Automation Runtime webserver ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16254055… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to a denial of service vulnerability in Angular.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Solr ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2021
by Daily end-of-shift report 08 Jul '21

08 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-07-2021 18:00 − Donnerstag 08-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iCloud-Problem erlaubte Password-Brute-Force – Apple streitet mit Entdecker ∗∗∗ --------------------------------------------- Einem Sicherheitsexperten gelang es, über eine Race Condition und zahlreiche IPs bestimmte Apple-IDs zurückzusetzen. Angeblich waren auch iPhone-PINs bedroht. --------------------------------------------- https://heise.de/-6120219 ∗∗∗ Vorsicht vor betrügerischen und unseriösen Apps! ∗∗∗ --------------------------------------------- Für das Smartphone gibt es zahlreiche Apps, die den Alltag erleichtern. Es gibt aber auch Apps, die das Leben erschweren können: Unseriöse Anwendungen entpuppen sich oftmals als teure Abo-Fallen oder als Datenkraken. Auch Apps, die die Geräte der NutzerInnen mit Schadsoftware infizieren, sind eine beliebte Masche von Cyberkriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-und-uns… ∗∗∗ Kubernetes gefährdet ∗∗∗ --------------------------------------------- Kubernetes Container und Cluster werden immer beliebter, geraten dadurch aber auch ins Visier von Hackern. Palo Alto Networks und Red Hat erläutern das unterschätzte Sicherheitsrisiko und wie Kubernetes-Instanzen zu Gefahrenherden werden. --------------------------------------------- https://www.zdnet.de/88395662/kubernetes-gefaehrdet/ ∗∗∗ Using Sudo with Python For More Security Controls, (Thu, Jul 8th) ∗∗∗ --------------------------------------------- I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! --------------------------------------------- https://isc.sans.edu/diary/rss/27614 ∗∗∗ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails ∗∗∗ --------------------------------------------- On, July 2nd, a massive ransomware attack was launched against roughly 50 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deep… ∗∗∗ Magecart Swiper Uses Unorthodox Concatenation ∗∗∗ --------------------------------------------- MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. We’ve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group. --------------------------------------------- https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenati… ∗∗∗ Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say ∗∗∗ --------------------------------------------- I pity the spool / Updated / Any celebrations that Microsofts out-of-band patch had put a stop PrintNightmare shenanigans may have been premature. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/07/07/printnightma… ∗∗∗ Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software ∗∗∗ --------------------------------------------- Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseyas customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. --------------------------------------------- https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-… ∗∗∗ 3 things the Kaseya attack can teach us about ransomware recovery ∗∗∗ --------------------------------------------- Some lessons on dealing with ransomware recovery, thanks to the admirable transparency of a Dutch MSP impacted by the REvil attack on Kaseya. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack… ∗∗∗ Non-Malicious Android Crypto Mining Apps Scam Users at Scale ∗∗∗ --------------------------------------------- With no bad behavior, the mobile apps are difficult to detect by automated security scans --------------------------------------------- https://www.securityweek.com/non-malicious-android-crypto-mining-apps-scam-… ∗∗∗ Ransomware as a service: Negotiators are now in high demand ∗∗∗ --------------------------------------------- RaaS groups are hiring negotiators whose primary role is to force victims to pay up. --------------------------------------------- https://www.zdnet.com/article/ransomware-as-a-service-negotiators-between-h… ∗∗∗ Global Phishing Campaign Targets Energy Sector and its Suppliers ∗∗∗ --------------------------------------------- Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. --------------------------------------------- https://www.intezer.com/blog/research/global-phishing-campaign-targets-ener… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Patchday Juli ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0725 ∗∗∗ Angreifer können Sicherheitslücken in Ressourcenplanungstool Sage X3 kombinieren ∗∗∗ --------------------------------------------- Systeme mit Sage X3 sind unter anderem über eine kritische Schwachstelle mit Höchstwertung attackierbar. --------------------------------------------- https://heise.de/-6132418 ∗∗∗ Vulnerability Spotlight: Information disclosure, privilege escalation vulnerabilities in IOBit Advanced SystemCare Ultimate ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. IOBit Advanced SystemCare Ultimate is a system optimizer that promises to remove unwanted files and [...] --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-iobit0-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi). --------------------------------------------- https://lwn.net/Articles/862163/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisco-releases-se… ∗∗∗ Kaseya VSA Limited Disclosure ∗∗∗ --------------------------------------------- Why we are only disclosing limited details on the Kaseya vulnerabilities / Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and [...] --------------------------------------------- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ ∗∗∗ Security Bulletin: CVE-2021-28165 In Eclipse Jetty CPU usage can reach 100% upon receiving a large invalid TLS frame. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-28165-in-eclipse… ∗∗∗ Security Bulletin: CVE-2021-27568 An issue was discovered in netplex json-smart-v1, an exception is thrown from a function ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-27568-an-issue-w… ∗∗∗ Security Bulletin: CVE-2021-29711 Agent Upgrade through CLI requires inconsistent permission. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-29711-agent-upgr… ∗∗∗ Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-websph… ∗∗∗ Security Bulletin: CVE-2020-27223 when Jetty handles a request containing multiple Accept headers the server may enter a denial of service (DoS) state ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-27223-when-jetty… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2021
by Daily end-of-shift report 07 Jul '21

07 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-07-2021 18:00 − Mittwoch 07-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ WildPressure targets the macOS platform ∗∗∗ --------------------------------------------- We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS. --------------------------------------------- https://securelist.com/wildpressure-targets-macos/103072/ ∗∗∗ Why I Love (Breaking Into) Your Security Appliances ∗∗∗ --------------------------------------------- David "moose" Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to "pick one lock" to invade an enterprise through them. --------------------------------------------- https://threatpost.com/breaking-into-security-appliances/167584/ ∗∗∗ Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform ∗∗∗ --------------------------------------------- An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. --------------------------------------------- https://thehackernews.com/2021/07/dozens-of-vulnerable-nuget-packages.html ∗∗∗ Fake-Shops für Fahrräder und E-Bikes haben Saison! ∗∗∗ --------------------------------------------- Auf bike-heller.de und mister24bike.de wird ein riesiges Sortiment an Fahrrädern und E-Bikes lagernd und sofort lieferbar angeboten. Allein das sollte stutzig machen, da viele seriöse Händler mitten in der Saison schon ausverkauft sind. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-fahrraeder-und-e-bik… ∗∗∗ Understanding REvil: The Ransomware Gang Behind the Kaseya Attack ∗∗∗ --------------------------------------------- Ransomware cases worked by Unit 42 consultants in the first six months of 2021 reveal insights into the preferred tactics of REvil threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/revil-threat-actors/ ∗∗∗ Update - Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In Folge dieses Vorfalls ist nun auch eine Spam-Kampagne, welche Schadsoftware (Cobalt Strike) im Anhang ausliefert und vorgibt, ein legitimes Update für Kaseya VSA zu sein, in Erscheinung getreten. --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ How to Tighten IoT Security for Healthcare Organization ∗∗∗ --------------------------------------------- This post will first explore some of the ways IoT is revolutionizing medical care, then identify some of the potential problems posed by connected devices in a medical setting. --------------------------------------------- https://blog.checkpoint.com/2021/06/21/how-to-tighten-iot-security-for-heal… ===================== = Vulnerabilities = ===================== ∗∗∗ Printnightmare: Erste Patches für Windows-Sicherheitslücke ∗∗∗ --------------------------------------------- Durch ein Problem mit dem Windows-Druck-Spooler können Angreifer Code aus der Ferne ausführen. Erste Patches stehen bereit, aber noch nicht für alles. (Windows, Drucker) --------------------------------------------- https://www.golem.de/news/printnightmare-erste-patches-fuer-windows-sicherh… ∗∗∗ Kasperskys Passwort-Manager gefährdete Benutzer mit ratbaren Passwörtern ∗∗∗ --------------------------------------------- Wegen einer gründlich verpatzten Umsetzung ließen sich die vom Kaspersky Passwort-Manager vorgeschlagenen, scheinbar zufälligen Passwörter einfach erraten. --------------------------------------------- https://heise.de/-6130796 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (glibc), Gentoo (doas, firefox, glib, schismtracker, and tpm2-tss), Mageia (httpcomponents-client), openSUSE (virtualbox), Red Hat (linuxptp), Scientific Linux (linuxptp), and Ubuntu (libuv1 and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/862044/ ∗∗∗ This serious Wi-Fi bug can break your iPhone, but heres how to protect yourself ∗∗∗ --------------------------------------------- Walking past a Wi-Fi hotspot with a specific name can cause big problems for your iPhone. And the scary thing is that its easy to do. --------------------------------------------- https://www.zdnet.com/article/serious-wi-fi-bug-can-break-your-iphone-but-h… ∗∗∗ Security Advisory - Bluetooth Function Denial of Service Vulnerability in Some Huawei Smartphone Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210707-… ∗∗∗ Security Bulletin: Netty Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache JSON Small and Fast Parser (json-smart) and Underscore affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a privileged user to obtain sensitive information from internal log files (CVE-2021-29759) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by a ReDoS flaw when processing URLs (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Castor Vulnerability Affects IBM Control Center (CVE-2014-3004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-castor-vulnerability-affe… ∗∗∗ Security Bulletin: Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2020-29652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-golang-go-vulnerability-a… ∗∗∗ Security Bulletin: Vulnerabilities in the Python, Python cryptography , and Urllib3 affect IBM Spectrum Discover. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-py… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to underscore vulnerability (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Control Center (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Philips Vue PACS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01 ∗∗∗ Moxa NPort IAW5000A-I/O Series Serial Device Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-187-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2021
by Daily end-of-shift report 06 Jul '21

06 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 05-07-2021 18:00 − Dienstag 06-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to protect your site against lethal unauthorized code injections ∗∗∗ --------------------------------------------- Lethal unauthorized code injections like XXS (cross site scripting) attacks are some of the most dynamic cyber-attacks. They are often very difficult to detect and can result in credit card theft, fraud, and endpoint data breaches, having a huge impact on small to medium sized businesses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-protect-your… ∗∗∗ Python DLL Injection Check, (Tue, Jul 6th) ∗∗∗ --------------------------------------------- They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. --------------------------------------------- https://isc.sans.edu/diary/rss/27608 ∗∗∗ Kaseya VSA: Wie die Lieferketten-Angriffe abliefen und was sie für uns bedeuten ∗∗∗ --------------------------------------------- Auch wer nicht davon betroffen ist, sollte sich klarmachen, was da gerade geschieht. Denn Angriffe wie der aktuelle REvil-Coup werden die IT-Welt verändern. --------------------------------------------- https://heise.de/-6129656 ∗∗∗ Kaseya Case Update 3 ∗∗∗ --------------------------------------------- Since the first signs of an incident last Friday evening the DIVD has continued to monitor the internet for instances of Kaseya VSA that remained online. We are happy to report a steady decrease in the number of online servers. --------------------------------------------- https://csirt.divd.nl/2021/07/06/Kaseya-Case-Update-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentified RFI to RCE Nagios/NagiosXI exploitation ∗∗∗ --------------------------------------------- An authenticated attacker may remotely inject and execute arbitrary code in Nagios and Nagios XI products. --------------------------------------------- https://github.com/ArianeBlow/NagiosXI-EmersonFI ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (python-django), Debian (libuv1, libxstream-java, and php7.3), Fedora (rabbitmq-server), Gentoo (glibc, google-chrome, libxml2, and postsrsd), openSUSE (libqt5-qtwebengine and roundcubemail), SUSE (python-rsa), and Ubuntu (djvulibre). --------------------------------------------- https://lwn.net/Articles/861972/ ∗∗∗ [20210705] - Core - XSS in com_media imagelist ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/860-20210705-core-xss-in-c… ∗∗∗ [20210704] - Core - Privilege escalation through com_installer ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/859-20210704-core-privileg… ∗∗∗ [20210703] - Core - Lack of enforced session termination ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/858-20210703-core-lack-of-… ∗∗∗ [20210702] - Core - DoS through usergroup table manipulation ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/857-20210702-core-dos-thro… ∗∗∗ [20210701] - Core - XSS in JForm Rules field ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/856-20210701-core-xss-in-j… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0719 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0718 ∗∗∗ QNAP NAS HBS 3: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0717 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2021
by Daily end-of-shift report 05 Jul '21

05 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-07-2021 18:00 − Montag 05-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In den Medien wird aktuell über einen Ransomwarevorfall, welcher eine große Anzahl an Firmen betrifft, berichtet 1 2. Folgend diesen Berichten gelang es der Ransomware-Gruppe "REvil" über das Einschleusen von Code in die Software-Lösung "Kaseya VSA", welche zum Remote-Monitoring und -Management für IT bei Managed Service Providern (MSP) eingesetzt wird, die Ransomware "Sodinokibi" automatisiert an die MSPs und somit auch an deren Kunden --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- Update 7/5/2021: Security researcher cube0x0 discovered another attack vector for this vulnerability, which significantly expands the set of affected machines. While the original attack vector was Print System Remote Protocol [MS-RPRN], the same attack delivered via Print System Asynchronous Remote Protocol [MS-PAR] does not require Windows server to be a domain controller, or Windows 10 machine to have UAC User Account Control disabled or PointAndPrint NoWarningNoElevationOnInstall enabled. --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Another 0-Day Looms for Many Western Digital Users ∗∗∗ --------------------------------------------- Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who cant or wont upgrade to the latest operating system. --------------------------------------------- https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-di… ∗∗∗ Spam per Termineinladung: So schützen Sie sich! ∗∗∗ --------------------------------------------- Sie haben plötzlich im Lotto gewonnen. Jemand will Ihnen aus reiner Nächstenliebe Geld spenden. Außerdem müssen Sie unbedingt auf dieser einen Trading-Plattform investieren. Gewinne garantiert! Viele von uns kennen solche Versprechungen wohl. Spam-Mails sind nichts Neues mehr. Daher überlegen sich Kriminelle immer wieder neue Möglichkeiten, um an das Geld ihrer Opfer zu kommen. Derzeit sehr beliebt: Kalender-Spam! --------------------------------------------- https://www.watchlist-internet.at/news/spam-per-termineinladung-so-schuetze… ∗∗∗ Telnet service left enabled and without a password on SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- Siemens SIMATIC HMI Comfort Panels, devices meant to provide visualization of data received from industrial equipment, are exposing their Telnet service without any form of authentication, security researchers have discovered. Tracked as CVE-2021-31337, the vulnerability was revealed earlier this week. All SIMATIC HMI Comfort Panels models are believed to be impacted, except panels for SINAMICS Medium Voltage Products (SL150, SM150, and SM150i), where the Telnet service is disabled by default. --------------------------------------------- https://therecord.media/telnet-service-left-enabled-and-without-a-password-… ∗∗∗ MISP 2.4.145 and 2.4.146 released (Improved warning-lists) ∗∗∗ --------------------------------------------- MISP 2.4.145 and 2.4.146 released including a massive update to the MISP warning-lists, various improvements and security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.145 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-779: Advantech WebAccess Node BwFreRPT Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-779/ ∗∗∗ ZDI-21-778: Advantech WebAccess Node BwImgExe Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-778/ ∗∗∗ ZDI-21-777: Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-777/ ∗∗∗ ZDI-21-776: Autodesk Design Review DWF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-776/ ∗∗∗ ZDI-21-775: Autodesk Design Review DWFX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-775/ ∗∗∗ ControlTouch serial number can be misused to access customer configuration ∗∗∗ --------------------------------------------- ABB is aware of a privately reported vulnerability in the ControlTouch cloud subsystem. The cloud sub-system is updated to remove the vulnerability. An attacker who successfully exploited this vulnerability could modify the configuration of the ControlTouch of an authorized user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A3688&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa). --------------------------------------------- https://lwn.net/Articles/861906/ ∗∗∗ Ricon Industrial Cellular Router S9922XL Remote Command Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php ∗∗∗ GNU C Library (glibc) vlunerability CVE-2016-10228 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52494142?utm_source=f5support&utm_mediu… ∗∗∗ Advisory: Denial of Service vulnerability in B&R Industrial Automation PROFINET IO Device ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… ∗∗∗ Advisory: Stack crash in B&R Industrial Automation X20 EthernetIP Adpater ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2021
by Daily end-of-shift report 02 Jul '21

02 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-07-2021 18:00 − Freitag 02-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gelöschte Netz-Festplatten: Western Digital plant Hilfe bei Wiederherstellung ∗∗∗ --------------------------------------------- Die Daten angegriffener HDDs der WD-Baureihe My Book Live sollen sich wiederherstellen lassen. Western Digital will künftig entsprechende Dienste anbieten. --------------------------------------------- https://heise.de/-6127479 ∗∗∗ Scorecards 2.0: Sicherheitsrisiken in Open-Source-Software aufdecken ∗∗∗ --------------------------------------------- Das automatisierte Security-Tool Scorecards legt die Karten auf den Tisch - wie sicher ist Open-Source-Software? --------------------------------------------- https://heise.de/-6127588 ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- [Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.] June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled "Windows Print Spooler Local Code Execution Vulnerability". As usual, Microsofts advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to [...] --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Babuk ransomware is back, uses new version on corporate networks ∗∗∗ --------------------------------------------- After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-use… ∗∗∗ Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software ∗∗∗ --------------------------------------------- In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolias major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a report published Thursday. --------------------------------------------- https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.ht… ∗∗∗ New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active [...] --------------------------------------------- https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html ∗∗∗ 2020 Report: ICS Endpoints as Starting Points for Threats ∗∗∗ --------------------------------------------- The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats. Securing these systems is vital, and one of its components that must be protected from threats are endpoints. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-r… ∗∗∗ STIR/SHAKEN: Nordamerika signiert Rufnummern im Kampf gegen Spam ∗∗∗ --------------------------------------------- Nordamerikas Netzbetreiber signieren und verifizieren jetzt Telefonnummern nach dem STIR/SHAKEN-System. Das erschwert Anrufe mit gefälschten Anruferkennungen. --------------------------------------------- https://heise.de/-6127147 ∗∗∗ TrickBot and Zeus ∗∗∗ --------------------------------------------- TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the [...] --------------------------------------------- https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/ ∗∗∗ Top 5 Scam Techniques: What You Need to Know ∗∗∗ --------------------------------------------- Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work. So, you may hear about a new scam that uses a novel narrative, but there is a good chance that the scam relies on proven scam techniques once the narrative is stripped [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/top-sca… ∗∗∗ Ransomware. In the air? ∗∗∗ --------------------------------------------- Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren’t significantly exposed, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/ransomware-in-the-air/ ∗∗∗ Mysterious Node.js malware puzzles security researchers ∗∗∗ --------------------------------------------- Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot. --------------------------------------------- https://therecord.media/mysterious-node-js-malware-puzzles-security-researc… ∗∗∗ TrickBot: New attacks see the botnet deploy new banking module, new ransomware ∗∗∗ --------------------------------------------- Over the course of the past few weeks, new activity has been observed from TrickBot, one of todays largest malware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that the TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.The post TrickBot: New attacks see the botnet deploy new banking module, new ransomware appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-bank… ∗∗∗ The Brothers Grim ∗∗∗ --------------------------------------------- The reversing tale of GrimAgent malware used by Ryuk --------------------------------------------- https://blog.group-ib.com/grimagent ===================== = Vulnerabilities = ===================== ∗∗∗ WAGO: Multiple Vulnerabilities in I/O-Check Service ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the WAGO I/O-Check Service were reported. By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-036 ∗∗∗ Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability ∗∗∗ --------------------------------------------- If you manage yoiur Azure resources from PowerShell version 7.0 or 7.1, we’ve released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1. We recommend that you install the updated versions as soon as possible. Windows PowerShell 5.1 isn’t affected by this issue. --------------------------------------------- https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and… ∗∗∗ Jetzt handeln! Angreifer nutzen Drucker-Lücke PrintNightmare in Windows aus ∗∗∗ --------------------------------------------- Alle Windows-Systeme sind von der PrintNightmare-Schwachstelle bedroht. Derzeit finden Attacken statt. So geht der Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6127265 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang). --------------------------------------------- https://lwn.net/Articles/861679/ ∗∗∗ Johnson Controls Facility Explorer ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in Johnson Controls Facility Explorer industrial Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 ∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read vulnerabilities in Delta Electronics DOPSoft software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-03 ∗∗∗ Mitsubishi Electric Air Conditioning System ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in Mitsubishi Electric air conditioning systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-04 ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning Systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05 ∗∗∗ All Bachmann M1 System Processor Modules ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory titled ICSA-21-026-01P All Bachmann M1 System Processor Modules, posted to the HSIN ICS library on January 26, 2021. This advisory is now being released to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in Bachmann M1 system processor modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01-0 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Industrial WLAN devices (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-026 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0714 ∗∗∗ Red Hat Developer Tools: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0715 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2021
by Daily end-of-shift report 01 Jul '21

01 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-06-2021 18:00 − Donnerstag 01-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ "Drucker-Albtraum": Offene Sicherheitslücke erlaubt die Übernahme gesamter Windows-Netzwerke ∗∗∗ --------------------------------------------- Sicherheitsforscher veröffentlichen versehentlich passenden Schadcode, nun herrscht akuter Handlungsbedarf für Windows-Administratoren --------------------------------------------- https://www.derstandard.at/story/2000127868579/drucker-albtraum-offene-sich… ∗∗∗ Vorschussbetrug mit Krediten auf befinax.com ∗∗∗ --------------------------------------------- Auf der Suche nach Krediten, Hypotheken oder Versicherungen stoßen Sie womöglich auf befinax.com. Die Seite ist schön aufgebaut, verspricht schnelle Kreditvergaben und wirbt mit den Logos und Namen großer und bekannter Banken. Doch Vorsicht: Hier werden Sie betrogen! Vorab zu bezahlende Gebühren landen direkt in den Händen Krimineller und Kredit gibt es keinen. --------------------------------------------- https://www.watchlist-internet.at/news/vorschussbetrug-mit-krediten-auf-bef… ∗∗∗ The Most Prolific Ransomware Families: A Defenders Guide ∗∗∗ --------------------------------------------- In this article, DomainTools researchers provide a look at the three most prolific ransomware families and their toolsets. --------------------------------------------- https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-fam… ∗∗∗ Linux: RPM prüft Signaturen nicht richtig ∗∗∗ --------------------------------------------- Eigentlich werden RPM-Pakte unter Linux signiert. Viele wichtige Teile der Signaturprüfung sind bisher aber gar nicht implementiert. --------------------------------------------- https://www.golem.de/news/linux-rpm-prueft-signaturen-nicht-richtig-2107-15… ∗∗∗ Another Exploit Hits WD My Book Live Owners ∗∗∗ --------------------------------------------- While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Toms Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was [...] --------------------------------------------- https://hardware.slashdot.org/story/21/06/30/2319243/another-exploit-hits-w… ∗∗∗ We Infiltrated a Counterfeit Check Ring! Now What? ∗∗∗ --------------------------------------------- Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and youve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and [...] --------------------------------------------- https://krebsonsecurity.com/2021/06/we-infiltrated-a-counterfeit-check-ring… ∗∗∗ Becoming Elon Musk - the Danger of Artificial Intelligence ∗∗∗ --------------------------------------------- A Tel Aviv, Israel-based artificial intelligence (AI) firm, with a mission to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents, has developed the opposite: an attack against facial recognition systems that can fool the algorithm into misinterpreting the image. --------------------------------------------- https://www.securityweek.com/becoming-elon-musk-%E2%80%93-danger-artificial… ∗∗∗ CISA’s CSET Tool Sets Sights on Ransomware Threat ∗∗∗ --------------------------------------------- CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. CSET—applicable to both information technology (IT) and industrial control system (ICS) networks—enables users to perform a comprehensive evaluation of their cybersecurity [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-s… ∗∗∗ Two years later, the NSABuffMiner botnet is still alive and kicking ∗∗∗ --------------------------------------------- A crypto-mining botnet named NSABuffMiner (or Indexsinas) is still active and infecting Windows systems using three leaked NSA exploits, security firm Guardicore said today. --------------------------------------------- https://therecord.media/two-years-later-the-nsabuffminer-botnet-is-still-al… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#383432: Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE ∗∗∗ --------------------------------------------- The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. --------------------------------------------- https://kb.cert.org/vuls/id/383432 ∗∗∗ Sicherheitsupdate: Microsoft entdeckt kritische Lücke in Netgear-Router ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für den WLAN Router DGN2200v1 von Netgear. --------------------------------------------- https://heise.de/-6126662 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, ipmitool, and node-bl), Fedora (libgcrypt and libtpms), Mageia (dhcp, glibc, p7zip, sqlite3, systemd, and thunar), openSUSE (arpwatch, go1.15, and kernel), SUSE (curl, dbus-1, go1.15, and qemu), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/861521/ ∗∗∗ EC-CUBE fails to restrict access permissions ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN57942445/ ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-022 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-021 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ Security Advisory - Path Traversal Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Notice – Statement About the Media Report on the Use of GEA-1 Weak Algorithm in Certain Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20210618-01-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2021 CPU plus affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Using XSS attack, an attacker may inject Javascript code by modifying input fields in Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-xss-attack-an-attac… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: SQL injection from various input fields may affect Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-from-variou… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2021
by Daily end-of-shift report 30 Jun '21

30 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-06-2021 18:00 − Mittwoch 30-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware decryptor recovers victims files for free ∗∗∗ --------------------------------------------- Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-decryptor-… ∗∗∗ An EPYC escape: Case-study of a KVM breakout ∗∗∗ --------------------------------------------- In this blog post I describe a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of… ∗∗∗ MITRE ATT&CK® mappings released for built-in Azure security controls ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the publication of the Security Stack Mappings for Azure project in partnership with the Center for Threat-Informed Defense. --------------------------------------------- https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-rel… ∗∗∗ June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th) ∗∗∗ --------------------------------------------- Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago. --------------------------------------------- https://isc.sans.edu/diary/rss/27582 ∗∗∗ Babuk ransomware builder leaked following muddled “retirement” ∗∗∗ --------------------------------------------- Heads are being scratched after the Babuk ransomware builder appears on VirusTotal, adding to the gangs reputation for confusion. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leak… ∗∗∗ Unseriöse Online-Shops verkaufen Mystery-Box mit Produkten aus unzustellbaren Amazon-Paketen ∗∗∗ --------------------------------------------- Einen Gaming Laptop oder eine PlayStation um 16 Euro? Zahlreiche Online-Shops verkaufen derzeit eine Mystery-Box, mit der das möglich sein soll. Die Box beinhaltet laut den HändlerInnen nicht zustellbare Amazon-Produkte wie Laptops, Computer, Kameras oder teure Kopfhörer. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-online-shops-verkaufen-my… ∗∗∗ FIRST Challenge 2021 Writeup ∗∗∗ --------------------------------------------- Due to the COVID-19 pandemic the FIRST conference 2021 moved online and so did the annual CTF organized by the FIRST Security Lounge SIG. Thomas Pribitzer, Dimitri Robl, and Sebastian Waldbauer from CERT.at participated as a team, scoring the 9. place out of 42 teams. --------------------------------------------- https://cert.at/en/blog/2021/6/first-challenge-2021-writeup ∗∗∗ Gozi malware gang member arrested in Colombia ∗∗∗ --------------------------------------------- Authorities in Colombia have arrested this week a Romanian national named Mihai Ionut Paunescu, one of the three suspects charged in 2013 for creating and operating the infamous Gozi banking trojan. --------------------------------------------- https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/ ∗∗∗ REvil Twins ∗∗∗ --------------------------------------------- Deep Dive Into Prolific RaaS Affiliates’ TTPs --------------------------------------------- https://blog.group-ib.com/revil_raas ===================== = Vulnerabilities = ===================== ∗∗∗ DHCP Flood: Googles Cloud-VMs lassen sich per DHCP übernehmen ∗∗∗ --------------------------------------------- Angreifer könnten Root-Rechte in fremden VMs der Google-Cloud erhalten. Praktische Angriffe sind unwahrscheinlich, Updates gibt es nicht. --------------------------------------------- https://www.golem.de/news/dhcp-flood-googles-cloud-vms-lassen-sich-per-dhcp… ∗∗∗ CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th) ∗∗∗ --------------------------------------------- On June 21st, Microsoft modified the description of the vulnerability upgrading it to a remote code execution vulnerability. Earlier this week, an RCE exploit was posted to GitHub. --------------------------------------------- https://isc.sans.edu/diary/rss/27588 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fluidsynth), Fedora (libgcrypt and tpm2-tools), Mageia (nettle, nginx, openvpn, and re2c), openSUSE (kernel, roundcubemail, and tor), Oracle (edk2, lz4, and rpm), Red Hat (389-ds:1.4, edk2, fwupd, kernel, kernel-rt, libxml2, lz4, python38:3.8 and python38-devel:3.8, rpm, ruby:2.5, ruby:2.6, and ruby:2.7), and SUSE (kernel and lua53). --------------------------------------------- https://lwn.net/Articles/861420/ ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbitrary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase (CVE-2020-27221, CVE-2020-14782, CVE-2020-2773, CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Commons Codec Vulnerability affects IBM Rational ClearQuest (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-vuln… ∗∗∗ Drupal 8 end-of-life on November 2, 2021 (four months from now) - PSA-2021-2021-06-29 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2021-2021-06-29 ∗∗∗ Exacq Technologies exacqVision Web Service ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01 ∗∗∗ Exacq Technologies exacqVision Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02 ∗∗∗ Panasonic FPWIN Pro ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03 ∗∗∗ JTEKT TOYOPUC PLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-04 ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05 ∗∗∗ Claroty Secure Remote Access Site ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2021
by Daily end-of-shift report 29 Jun '21

29 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 28-06-2021 18:00 − Dienstag 29-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware gangs now creating websites to recruit affiliates ∗∗∗ --------------------------------------------- Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics, criminal operations have been forced to promote their service through alternative methods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creatin… ∗∗∗ Microsoft successfully hit by dependency hijacking again ∗∗∗ --------------------------------------------- Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency being used by an open-source project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-b… ∗∗∗ Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground ∗∗∗ --------------------------------------------- After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, its happened again - with big security ramifications. --------------------------------------------- https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/ ∗∗∗ CFBF Files Strings Analysis, (Mon, Jun 28th) ∗∗∗ --------------------------------------------- The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format. --------------------------------------------- https://isc.sans.edu/diary/rss/27576 ∗∗∗ Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th) ∗∗∗ --------------------------------------------- I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information. --------------------------------------------- https://isc.sans.edu/diary/rss/27578 ∗∗∗ Verschlüsselungstrojaner REvil hat es nun auf virtuelle Maschinen abgesehen ∗∗∗ --------------------------------------------- Mehrere Sicherheitsforscher warnen vor einer neuen REvil-Version, die noch mehr Geräte bedroht. --------------------------------------------- https://heise.de/-6122156 ∗∗∗ Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ ∗∗∗ --------------------------------------------- Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-166… ∗∗∗ Instagram: Kooperationsanfragen von wegego.com sind Fake ∗∗∗ --------------------------------------------- Momentan werden Instagram-NutzerInnen vermehrt von einem Profil namens sara.wegego – einer angeblichen Brand Ambassador Managerin bei wegego.com – angeschrieben. Ihnen wird eine Kooperation mit dem Unternehmen angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-kooperationsanfragen-von-w… ∗∗∗ CISA Begins Cataloging Bad Practices that Increase Cyber Risk ∗∗∗ --------------------------------------------- In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-catal… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (klibc and libjdom2-java), Mageia (bash, glibc, gnutls, java-openjdk, kernel, kernel-linus, leptonica, libgcrypt, openjpeg2, tor, and trousers), openSUSE (bouncycastle, chromium, go1.16, and kernel), Oracle (docker-engine docker-cli and qemu), Red Hat (kpatch-patch), and SUSE (arpwatch, go1.16, kernel, libsolv, microcode_ctl, and python-urllib3, python-requests). --------------------------------------------- https://lwn.net/Articles/861310/ ∗∗∗ PoC released for dangerous Windows PrintNightmare bug ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service (spoolsv.exe) that can allow a total compromise of Windows systems. --------------------------------------------- https://therecord.media/poc-released-for-dangerous-windows-printnightmare-b… ∗∗∗ Security Bulletin: Vulnerabilities in Python, Tornado, and Urllib3 affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-dataquant-fix-for-all… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus has Insecure File Permissions due to not setting the Sticky Bit (CVE-2021-20490) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in open source libraries affects Tivoli Netcool/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Redis, MinIO, Golang, and Urllib3 affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-… ∗∗∗ Security Bulletin: Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-mongod… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-3449 , CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-23839, CVE-2021-23840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerab… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0700 ∗∗∗ MISP: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0699 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2021
by Daily end-of-shift report 28 Jun '21

28 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-06-2021 18:00 − Montag 28-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Using VMs To Hide Ransomware Attacks is Becoming More Popular ∗∗∗ --------------------------------------------- In early 2020, security researchers were baffled to discover that a ransomware gang had come up with an innovative trick that allowed it to run its payload inside virtual machines on infected hosts as a technical solution that bypassed security software. One year later, that technique has spread among the cybercrime underground and is now used by multiple ransomware operators. --------------------------------------------- https://it.slashdot.org/story/21/06/28/1521220/using-vms-to-hide-ransomware… ∗∗∗ Sicherheitsforscher der TU Wien warnen vor vergessenen Subdomains auf Webseiten ∗∗∗ --------------------------------------------- Vor einer Online-Sicherheitslücke durch sozusagen vergessene Unterseiten einer Website warnen Forscher der Technischen Universität (TU) Wien. Unter bestimmten Umständen kann man sich über derartige lose Enden bei Subdomains über die Hintertür Zugang zu Hauptseiten verschaffen, berichtet ein Team aus Wien und Italien im Rahmen einer Fachkonferenz. --------------------------------------------- https://www.derstandard.at/story/2000127773220/sicherheitsforscher-der-tu-w… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco Adaptive Security Appliance ∗∗∗ --------------------------------------------- Es ist Exploit-Code für eine Sicherheitslücke in Cisco ASA und FTD in Umlauf. --------------------------------------------- https://heise.de/-6120956 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th) ∗∗∗ --------------------------------------------- This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account. --------------------------------------------- https://isc.sans.edu/diary/rss/27570 ∗∗∗ Western Digital My Book: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode und Löschung der Daten ∗∗∗ --------------------------------------------- Western Digital hat eine Schwachstelle in seinen My Book NAS Geräten bekanntgegeben. Ein Angreifer kann diese Schwachstelle ausnutzen, um Schadcode auszuführen und unter Umständen die Geräte in Werkseinstellung zu bringen und alle Daten zu löschen. Dazu ist keine Anmeldung am Gerät erforderlich. ... Das BürgerCERT empfiehlt als Abhilfe, den Herstellerempfehlungen folgend, die Trennung des Gerätes vom Internet. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/TW/2021/06/warnmeldung_… ∗∗∗ Vulnerability Spotlight: Memory corruption vulnerability in PowerISO’s DMG handler ∗∗∗ --------------------------------------------- (CVE-2021-21871) is a memory corruption vulnerability in PowerISO that could result in the attacker gaining the ability to execute code on the victim machine. An attacker can exploit this vulnerability by tricking a user into opening a specially crafted DMG file. Cisco Talos worked with PowerISO to ensure that this issue is resolved and an update is available for affected customers --------------------------------------------- https://blog.talosintelligence.com/2021/06/vulnerability-spotlight-memory-.… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, intel-microcode, tiff, and xmlbeans), Fedora (openssh and php-phpmailer6), openSUSE (freeradius-server, java-1_8_0-openjdk, live555, openexr, roundcubemail, tor, and tpm2.0-tools), SUSE (bouncycastle and zziplib), and Ubuntu (linux-kvm and thunderbird). --------------------------------------------- https://lwn.net/Articles/861221/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0698 ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ABB - Amnesia:33 – Impact on B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ ABB - Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ Security Bulletin: Incorrect authorization in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29751 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-authorization-i… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2017-18214, CVE-2016-4055, CVE-2021-20413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in lpd affects AIX (CVE-2021-29693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lpd-affe… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Jasper, Version 8 Service Refresh 5 Fix Pack 33, used in Jetty Server 9.4.14 where Rational Synergy is deployed. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jasper-v… ∗∗∗ Security Bulletin: Vulnerability found in Apache Log4j V1.x may affect IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-found-in-ap… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2021
by Daily end-of-shift report 25 Jun '21

25 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-06-2021 18:00 − Freitag 25-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Binance exchange helped track down Clop ransomware money launderers ∗∗∗ --------------------------------------------- Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects. --------------------------------------------- https://www.bleepingcomputer.com/news/security/binance-exchange-helped-trac… ∗∗∗ Microsoft signed a malicious Netfilter rootkit ∗∗∗ --------------------------------------------- What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen? --------------------------------------------- https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-r… ∗∗∗ SKS: Das Ende der alten PGP-Keyserver ∗∗∗ --------------------------------------------- Der Serverpool für die PGP-Keyserver mit der Software SKS wurde abgeschaltet. Grund sind Beschwerden wegen der Datenschutz-Grundverordnung. --------------------------------------------- https://www.golem.de/news/sks-das-ende-der-alten-pgp-keyserver-2106-157613.… ∗∗∗ ‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app ∗∗∗ --------------------------------------------- Who’s to blame: devs or management? And how do we cure application vulnerability epidemic Feature According to a recently published Osterman Research white paper, 81 per cent of developers admit to knowingly releasing vulnerable apps --------------------------------------------- https://www.theregister.com/2021/06/25/application_vulnerability_epidemic/ ∗∗∗ We explored the dangers of pirated sport streams so you don’t have to ∗∗∗ --------------------------------------------- The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in digital piracy. --------------------------------------------- https://www.webroot.com/blog/2021/05/12/we-explored-the-dangers-of-pirated-… ∗∗∗ Western Digital My Book Live: Trennen Sie Ihre Festplatten vom Internet ∗∗∗ --------------------------------------------- Daten auf Festplatten der WD-Baureihe My Book Live werden von extern gelöscht und durch fremde Passwörter unzugänglich gemacht. --------------------------------------------- https://heise.de/-6119250 ∗∗∗ Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency ∗∗∗ --------------------------------------------- The malware is thought to have generated millions of dollars in just a few short years. --------------------------------------------- https://www.zdnet.com/article/crackonosh-malware-abuses-windows-safe-mode-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, dovecot, exiv2, helm, keycloak, libslirp, matrix-appservice-irc, nginx-mainline, opera, pigeonhole, tor, tpm2-tools, and vivaldi), Debian (libgcrypt20), Fedora (pdfbox), Mageia (graphicsmagick, matio, and samba and ldb), openSUSE (dovecot23, gupnp, libgcrypt, live555, and ovmf), SUSE (gupnp, libgcrypt, openexr, and ovmf), and Ubuntu (ceph and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/860981/ ∗∗∗ Philips Interoperability Solution XDS ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Clear Text Transmission of Sensitive Information vulnerability in the Philips Interoperability Solution XDS document sharing system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-175-01 ∗∗∗ FATEK WinProladder ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, Out-of-bounds Write, and Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in FATEK WinProladder programmable logic controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-175-01 ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-27918 and CVE-2021-27919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Tika ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Netty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python urllib3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2021
by Daily end-of-shift report 24 Jun '21

24 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-06-2021 18:00 − Donnerstag 24-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious spam campaigns delivering banking Trojans ∗∗∗ --------------------------------------------- In mid-March 2021, we observed two new spam campaigns delivering banking Trojans. The payload in most cases was IcedID, but we have also seen a few QBot (aka QakBot) samples. --------------------------------------------- https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/… ∗∗∗ Yet Another Archive Format Smuggling Malware ∗∗∗ --------------------------------------------- The use of novel disk image files to encapsulate malware distributed via spam has been a theme that we have highlighted over the past couple of years. As anticipated, we have seen more disk image file formats being used, in addition to .ISO, .IMG, and .DAA which we blogged about. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-arc… ∗∗∗ Online Credit Card Theft – A Brief Overview of Online Fraud and Abuse – Part 1 ∗∗∗ --------------------------------------------- Many clients that we work with host and operate ecommerce websites which are frequent targets of attackers. The goal of these attacks is to steal credit card details from unsuspecting victims and sell them on the black market for a profit. The online ecommerce environment is diverse, constituting many different content management system (CMS) platforms and payment gateways all of which have their own features and risks. In this post I will attempt to demystify this cluttered environment [...] --------------------------------------------- https://blog.sucuri.net/2021/06/online-credit-card-theft-online-fraud.html ∗∗∗ The May/June 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! --------------------------------------------- https://securityblog.switch.ch/2021/06/24/the-may-june-2021-issue-of-our-sw… ∗∗∗ Complicated Active Directory setups are undermining security ∗∗∗ --------------------------------------------- Researchers have found several flaws in the Active Directory Certificate Service that can lead to credential theft, privilege escalation, and domain persistence. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/06/complicated-active-directory-… ∗∗∗ Announcing a unified vulnerability schema for open source ∗∗∗ --------------------------------------------- In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work. --------------------------------------------- https://security.googleblog.com/2021/06/announcing-unified-vulnerability-sc… ∗∗∗ Betrügerische „Voicemail“ SMS massenhaft im Umlauf! ∗∗∗ --------------------------------------------- Eine neue Welle betrügerischer SMS-Nachrichten fegt momentan über den deutschsprachigen Raum hinweg. In diesen SMS ist von einer neuen Voicemail, also einer Sprachnachricht, die Rede. Ein Link zum Abhören führt zu einer Fake-Seite, auf der eine App heruntergeladen werden soll. Achtung: Die App enthält Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-voicemail-sms-massenh… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Bugs Could Have Led to 1-Click Takeover ∗∗∗ --------------------------------------------- A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket and on-prem products. --------------------------------------------- https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/16… ∗∗∗ Sicherheitsupdate: Angreifer könnten eigene Befehle auf Qnap NAS ausführen ∗∗∗ --------------------------------------------- Qnap hat das Betriebssystem seiner Netzwerkspeicher gegen Command-Injection-Attacken abgesichert. --------------------------------------------- https://heise.de/-6117589 ∗∗∗ Kritische Admin-Lücke bedroht VMware Carbon Black App Control ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Server-Schutzlösung Carbon Black App Control von VMware attackieren. --------------------------------------------- https://heise.de/-6117422 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (apache-mod_auth_openidc, bind, bluez, cifs-utils, ffmpeg, gnome-autoar, guacd, kernel, kernel-linus, qtwebsockets5, slic3r, tunnel, wavpack, wireshark, and xscreensaver), openSUSE (apache2, cryptctl, go1.15, libnettle, python-rsa, salt, thunderbird, wireshark, libvirt, sbc, libqt5-qtmultimedia, xstream, and xterm), and SUSE (cryptctl, freeradius-server, libnettle, and libsolv). --------------------------------------------- https://lwn.net/Articles/860809/ ∗∗∗ 129 Dell models, including Secured-core PCs, vulnerable to new firmware flaws ∗∗∗ --------------------------------------------- Around 129 Dell consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs, have been found to be vulnerable to a series of vulnerabilities that can allow threat actors to pass as the official dell.com domain and trigger malicious BIOS/UEFI firmware updates. --------------------------------------------- https://therecord.media/129-dell-models-including-secured-core-pcs-vulnerab… ∗∗∗ Zyxel says a threat actor is targeting its enterprise firewall and VPN devices ∗∗∗ --------------------------------------------- Networking equipment vendor Zyxel has emailed customers this week to alert them about a series of attacks that have been targeting some of the companys high-end enterprise-focused firewall and VPN server products. --------------------------------------------- https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterpri… ∗∗∗ Security Advisory - Logic Vulnerability in Huawei WATCH Kid Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Pacemaker. (CVE-2020-25654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based (June 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition, Version 7. (CVE-2020-14782, CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2021
by Daily end-of-shift report 23 Jun '21

23 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-06-2021 18:00 − Mittwoch 23-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ A week after arrests, Cl0p ransomware group dumps new tranche of stolen data ∗∗∗ --------------------------------------------- Leak shows that, like the rest of the ransomware scourge, Cl0p isnt going away. --------------------------------------------- https://arstechnica.com/?p=1775362 ∗∗∗ SonicWall bug affecting 800K firewalls was only partially fixed ∗∗∗ --------------------------------------------- New findings have emerged that shed light on a critical SonicWall vulnerability disclosed last year, which affected over 800,000 VPN firewalls and was initially thought to have been patched. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-bug-affecting-800k… ∗∗∗ PYSA ransomware backdoors education orgs using ChaChi malware ∗∗∗ --------------------------------------------- The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pysa-ransomware-backdoors-ed… ∗∗∗ Sure looks like someones pirating the REvil ransomware, tweaking the binary in a hex editor for their own crimes ∗∗∗ --------------------------------------------- Its a crook-eat-crook world out there It appears someone is pirating the infamous REvil ransomware by tweaking its files for their own purposes. --------------------------------------------- https://www.theregister.com/2021/06/23/revil_ransomware_lv/ ∗∗∗ Ferienwohnungen nicht auf luxfewo.de buchen ∗∗∗ --------------------------------------------- Ferienwohnungen und Unterkünfte werden heute überwiegend im Internet gebucht. Doch Vorsicht: Unter den zahlreichen Plattformen und Buchungswebseiten verstecken sich auch betrügerische Angebote. Wer beispielsweise auf luxfewo.de bucht und eine Anzahlung leistet, verliert viel Geld und hat am Ende keine Unterkunft. --------------------------------------------- https://www.watchlist-internet.at/news/ferienwohnungen-nicht-auf-luxfewode-… ∗∗∗ MITRE releases D3FEND, defensive measures complimentary to its ATT&CK framework ∗∗∗ --------------------------------------------- The MITRE Corporation, one of the most respected organizations in the cybersecurity field, has released today D3FEND, a complementary framework to its industry-recognized ATT&CK matrix. --------------------------------------------- https://therecord.media/mitre-releases-d3fend-defensive-measures-compliment… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Linux Marketplace Bugs Allow Wormable Attacks, Drive-By RCE ∗∗∗ --------------------------------------------- A pair of zero-days affecting Pling-based marketplaces could allow for some ugly attacks on unsuspecting Linux enthusiasts -- with no patches in sight. --------------------------------------------- https://threatpost.com/unpatched-linux-marketplace-bugs-rce/167155/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and linux-4.19), Fedora (tor), Oracle (rh-postgresql10-postgresql), Red Hat (kernel), SUSE (ansible, apache2, dovecot23, OpenEXR, ovmf, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-5.8, linux-azure,[...] --------------------------------------------- https://lwn.net/Articles/860652/ ∗∗∗ WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN63066062/ ∗∗∗ VDE-CERT Advisories 2021-06-23: Multiple Vulnerabilities in Phoenix Contact Products and Weidmueller Industrial WLAN devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0013 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0013.html ∗∗∗ Python Flask vulnerability CVE-2018-1000656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63597327 ∗∗∗ Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR ∗∗∗ --------------------------------------------- https://www.securityweek.com/palo-alto-networks-patches-critical-vulnerabil… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316325 ∗∗∗ Advantech WebAccess HMI Designer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 ∗∗∗ CODESYS V2 web server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-02 ∗∗∗ CODESYS Control V2 communication ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-03 ∗∗∗ CODESYS Control V2 Linux SysFile library ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2021
by Daily end-of-shift report 22 Jun '21

22 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 21-06-2021 18:00 − Dienstag 22-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Darkside RaaS in Linux version ∗∗∗ --------------------------------------------- Unlike the Windows version of the malware that targets any Windows endpoint, Darkside Linux version is mostly targeting ESXi servers. Its default configuration includes the root path of ESX server machines. Targeted extensions are 'vmdk', 'log', 'vmem', 'vmsn' that are used in ESX servers for saving virtual machines information, data, and logs. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-ve… ∗∗∗ Wormable DarkRadiation Ransomware Targets Linux and Docker Instances ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new ransomware strain called "DarkRadiation" thats implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said [..] --------------------------------------------- https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html ∗∗∗ Paketmanager: Kryptomining-Schadcode auf PyPI zielt auf Data-Science-Projekte ∗∗∗ --------------------------------------------- Mit Namen wie mplatlib setzen die Pakete auf Verwechslung zu matplotlib. Sie laden ein Bash-Skript herunter, das versucht einen Kryptominer zu installieren. --------------------------------------------- https://heise.de/-6113470 ∗∗∗ Shadow Credentials: Abusing Key Trust Account Mapping for Takeover ∗∗∗ --------------------------------------------- The techniques for DACL-based attacks against User and Computer objects in Active Directory have been established for years. [..] These techniques have their shortcomings [..] Tl;dr: It is possible to add “Key Credentials” to the attribute msDS-KeyCredentialLink of the target user/computer object and then perform Kerberos authentication as that account using PKINIT. In plain English: this is a much easier and more reliable takeover primitive against Users and Computers. A tool to operationalize this technique has been released alongside this post. --------------------------------------------- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-ma… ===================== = Vulnerabilities = ===================== ∗∗∗ Tor Browser fixes vulnerability that tracks you using installed apps ∗∗∗ --------------------------------------------- The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tor-browser-fixes-vulnerabil… ∗∗∗ Bugs in NVIDIA’s Jetson Chipset Opens Door to DoS Attacks, Data Theft ∗∗∗ --------------------------------------------- Chipmaker patches nine high-severity bugs in its Jetson SoC framework tied to the way it handles low-level cryptographic algorithms. --------------------------------------------- https://threatpost.com/nvidia-jetson-chipset-dos-data-theft/167093/ ∗∗∗ Zephyr OS Bluetooth vulnerabilities left smart devices open to attack ∗∗∗ --------------------------------------------- The S in IoT stands for security. Vulnerabilities in the Zephyr real-time operating systems Bluetooth stack have been identified, leaving a wide variety of Internet of Things devices open to attack – unless upgraded to a patched version of the OS.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/06/22/zephyr_os_bl… ∗∗∗ VMSA-2021-0012 ∗∗∗ --------------------------------------------- CVE(s): CVE-2021-21998 The VMware Carbon Black App Control management server has an authentication bypass. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.4. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0012.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (audacity), openSUSE (chromium), Oracle (glib2), SUSE (Salt and salt), and Ubuntu (apache2 and openexr). --------------------------------------------- https://lwn.net/Articles/860559/ ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Some USB Dongle Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2021-3449). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in cyrus-sasl (CVE-2019-19906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in GNU cpio (CVE-2019-14866) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM WIoTP MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by vulnerabilities in libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2021
by Daily end-of-shift report 21 Jun '21

21 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-06-2021 18:00 − Montag 21-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Easy Access to the NIST RDS Database, (Sat, Jun 19th) ∗∗∗ --------------------------------------------- When you're facing some suspicious files while performing forensic investigations or analyzing malware components, it's always interesting to know these files are legit or malicious/modified. One of the key sources to verify hashes is provided by NIST and is called the NSLR project ("National Software Reference Library"). [...] CIRCL, the Luxembourg CERT, has a good reputation to offer/participate in services like MISP, a passive DNS service, etc. They are now offering an API to query the NIST RDS via HTTP or DNS requests! --------------------------------------------- https://isc.sans.edu/diary/rss/27544 ∗∗∗ 5 Critical Steps to Recovering From a Ransomware Attack ∗∗∗ --------------------------------------------- Businesses must prepare for the possibility of a ransomware attack affecting their data, services, and business continuity. What steps are involved in recovering from a ransomware attack? --------------------------------------------- https://thehackernews.com/2021/06/5-critical-steps-to-recovering-from.html ∗∗∗ ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung: IT-Security Analyst/Analystin (m/w/d - Vollzeit - Wien) ∗∗∗ ∗∗∗ --------------------------------------------- Zur Verstärkung unseres Analysis-Teams suchen wir nach einem/einer IT-Security Analysten/Analystin. --------------------------------------------- https://cert.at/de/ueber-uns/jobs/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4932 tor - security update ∗∗∗ --------------------------------------------- Multiple security vulnerabilities were discovered in Tor, aconnection-based low-latency anonymous communication system, whichcould result in denial of service or spoofing. --------------------------------------------- https://www.debian.org/security/2021/dsa-4932 ∗∗∗ Autodesk schließt Schadcode-Schlupflöcher in AutoCAD-Anwendungen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Produkte der AutoCAD-Familie. --------------------------------------------- https://heise.de/-6112990 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (connman, go, and grub), Debian (nettle, prosody, and tor), Fedora (iaito, mingw-ilmbase, mingw-openexr, mingw-python-urllib3, mosquitto, nettle, polkit, and radare2), Mageia (puddletag, python-babel, python-eventlet, and python-pikepdf), openSUSE (htmldoc), SUSE (go1.15, go1.16, gupnp, and libgcrypt), and Ubuntu (apache2 and dovecot). --------------------------------------------- https://lwn.net/Articles/860418/ ∗∗∗ CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation ∗∗∗ --------------------------------------------- this is an announcement for the recently reported bug (CVE-2021-3609) in the CAN BCM networking protocol in the Linux kernel ranging from version 2.6.25 to mainline 5.13-rc6. The vulnerability is a race condition in net/can/bcm.c allowing for local privilege escalation to root. --------------------------------------------- https://seclists.org/oss-sec/2021/q2/225 ∗∗∗ SYSS-2021-032: Admin Columns Free & Pro – Persistent Cross-Site Scripting (XSS) in Custom Field (CVE-2021-24365) ∗∗∗ --------------------------------------------- Das WordPress-Plug-in “Admin Columns” ermöglicht bis Version 5.5.1 (Pro) bzw. 4.3 (Free) Persistent Cross-Site Scripting (XSS)-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-032-admin-columns-free-pro-persi… ∗∗∗ Security Advisory - Deserialization Vulnerability in Huawei AnyOffice Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210619-… ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2021
by Daily end-of-shift report 18 Jun '21

18 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-06-2021 18:00 − Freitag 18-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Newly discovered Vigilante malware outs software pirates and blocks them ∗∗∗ --------------------------------------------- Most malware tries to steal stuff. Vigilante, by contrast, takes aim at piracy. --------------------------------------------- https://arstechnica.com/?p=1774437 ∗∗∗ Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th) ∗∗∗ --------------------------------------------- In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights". --------------------------------------------- https://isc.sans.edu/diary/rss/27538 ∗∗∗ Open redirects ... and why Phishers love them, (Fri, Jun 18th) ∗∗∗ --------------------------------------------- Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ? Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there. --------------------------------------------- https://isc.sans.edu/diary/rss/27542 ∗∗∗ Intentional Flaw in GPRS Encryption Algorithm GEA-1 ∗∗∗ --------------------------------------------- General Packet Radio Service (GPRS) is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit key, the effective key length is only 40 bits, due to “an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. --------------------------------------------- https://www.schneier.com/blog/archives/2021/06/intentional-flaw-in-gprs-enc… ∗∗∗ Malicious Redirects Through Bogus Plugin ∗∗∗ --------------------------------------------- Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites. --------------------------------------------- https://blog.sucuri.net/2021/06/malicious-redirects-through-bogus-plugin.ht… ∗∗∗ Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise ∗∗∗ --------------------------------------------- Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-sup… ∗∗∗ Mit diesem Leitfaden der NSA können Admins IP-Telefonie schützen ∗∗∗ --------------------------------------------- Die National Security Agency spricht Empfehlungen aus, wie Sprach- und Videoanrufe sicherer werden. --------------------------------------------- https://heise.de/-6111092 ∗∗∗ Polazert Trojan using poisoned Google Search results to spread ∗∗∗ --------------------------------------------- The threat actors behind Trojan.Polazert are using keyword-stuffed PDF files to rank high in search results and attract new victims.Categories: AwarenessTags: Polazertratseo poisoningSolarMarkerstuffed PDF(Read more...)The post Polazert Trojan using poisoned Google Search results to spread appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poiso… ∗∗∗ Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers ∗∗∗ --------------------------------------------- The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to [...] --------------------------------------------- https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosti… ∗∗∗ Betrug bei QR-Code-Scannern: Darauf sollten Sie achten! ∗∗∗ --------------------------------------------- Egal ob bei der Registrierung in einem Restaurant, bei einem Impf- oder Testtermin: Spätestens durch die Corona-Krise wurde die Verwendung von QR-Codes zur Normalität. Dementsprechend poppen derzeit zahlreiche neue QR-Code-Scanner in den App-Stores auf. Aber Achtung: Hinter manchen dieser kostenlosen Apps verstecken sich BetrügerInnen. Vorsicht ist auch bei seriösen Apps geboten, da die angezeigten Werbungen betrügerisch sein können. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-bei-qr-code-scannern-darauf-s… ∗∗∗ A deep dive into the operations of the LockBit ransomware group ∗∗∗ --------------------------------------------- Most victims are from the enterprise and are expected to pay an average ransom of $85,000. --------------------------------------------- https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (aspnet-runtime, aspnet-runtime-3.1, chromium, drupal, intel-ucode, nginx, opera, python-django, radare2, thefuck, and vivaldi), Debian (jetty9), Fedora (dogtag-pki and pki-core), openSUSE (htmldoc and postgresql10), Oracle (dhcp), SUSE (apache2, caribou, jetty-minimal, libxml2, postgresql12, python-PyJWT, python-rsa, python-urllib3, thunderbird, tpm2.0-tools, xstream, and xterm), and Ubuntu (grub2-signed, grub2-unsigned and libxml2). --------------------------------------------- https://lwn.net/Articles/860260/ ∗∗∗ Hitachi Virtual File Platform vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN21298724/ ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: IBM Security Identity Manager Virtual Appliance deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: A vulnerability have been identified in Apache Commons IO shipped with IBM Tivoli Netcool/OMNIbus Probe for Microsoft Exchange Web Services (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Identity Manager deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2021-25214 and CVE-2021-25215 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… ∗∗∗ VMSA-2021-0011 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0011.html ∗∗∗ Google Chrome: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0670 ∗∗∗ Schneider Electric EnerlinX Com’X 510 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-01 ∗∗∗ Softing OPC-UA C++ SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02 ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-03 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update C) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 ∗∗∗ Rockwell Automation ISaGRAF5 Runtime (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-280-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2021
by Daily end-of-shift report 17 Jun '21

17 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-06-2021 18:00 − Donnerstag 17-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Criminals are mailing hacked Ledger devices to steal cryptocurrency ∗∗∗ --------------------------------------------- Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-… ∗∗∗ Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th) ∗∗∗ --------------------------------------------- The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts. --------------------------------------------- https://isc.sans.edu/diary/rss/27536 ∗∗∗ Top 5 ICS Incident Response Tabletops and How to Run Them ∗∗∗ --------------------------------------------- In this blog SANS instructor, Dean Parsons, discusses the top five ICS incident response table tops and how to run them. How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against Ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure? --------------------------------------------- https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-… ∗∗∗ What you need to know about Process Ghosting, a new executable image tampering attack ∗∗∗ --------------------------------------------- This blog describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF). --------------------------------------------- https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tamperi… ∗∗∗ Google schickt Framework gegen Supply-Chain-Angriffe ins Rennen ∗∗∗ --------------------------------------------- SLSA soll die Integrität von Code vom Einchecken ins Repository über den Build-Prozess bis zum Verwenden von Paketen sicherstellen. --------------------------------------------- https://heise.de/-6073057 ∗∗∗ Cybercriminals go after Amazon Prime Day Shoppers ∗∗∗ --------------------------------------------- - In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious - Almost 1 out of 2 (46%) of new domains registered containing the word “Amazon” are malicious - Almost 1 out of 3 (32%) of new domains registered with the word “Amazon” are deemed suspicious --------------------------------------------- https://blog.checkpoint.com/2021/06/16/cybercriminals-go-after-amazon-prime… ===================== = Vulnerabilities = ===================== ∗∗∗ Hitachi Application Server Help vulnerable cross-site scripting ∗∗∗ --------------------------------------------- The following products are affected by the vulnerability. * Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier * Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier Solution: Apply the appropriate latest version of the help according to the information provided by the developer. --------------------------------------------- https://jvn.jp/en/jp/JVN03776901/ ∗∗∗ Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015 ∗∗∗ --------------------------------------------- Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didnt make it into Drupal Core 8.0.x and port them.The module doesnt sufficiently handle block access control on its EntityView plugin. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-015 ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017 ∗∗∗ --------------------------------------------- This module provides a revision UI to Block Content entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-017 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016 ∗∗∗ --------------------------------------------- This module provides a revision UI to Linky entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-016 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu acht Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, vier als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gnupnp and postgresql), Fedora (dino, microcode_ctl, and xen), Mageia (apache, gsoap, libgd, openssh, perl-Image-ExifTool, python-bleach, and qt4 and qtsvg5), openSUSE (chromium, containerd, docker, runc, djvulibre, htmldoc, kernel, libjpeg-turbo, libopenmpt, libxml2, spice, squid, and ucode-intel), Red Hat (dhcp and glib2), SUSE (apache2, inn, java-1_8_0-openjdk, and webkit2gtk3), and Ubuntu (nettle). --------------------------------------------- https://lwn.net/Articles/860128/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0666 ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service oder Cross Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0669 ∗∗∗ Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icu-vulnerability-affects… ∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Java vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-c… ∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying WebSphere Liberty vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-c… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: Vulnerability in the AIX trace facility (CVE-2021-29706) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-jasperreports-vu… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily