- Daily - CERT.at

Tageszusammenfassung - 16.06.2021
by Daily end-of-shift report 16 Jun '21

16 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-06-2021 18:00 − Mittwoch 16-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Avaddon ransomwares exit sheds light on victim landscape ∗∗∗ --------------------------------------------- A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avaddon-ransomwares-exit-she… ∗∗∗ Protecting Against Ransomware – From the Human Perspective ∗∗∗ --------------------------------------------- SANS blog post on what ransomware is, how it works, and most importantly, how to empower your workforce to protect against it. --------------------------------------------- https://www.sans.org/blog/protecting-against-ransomware-from-the-human-pers… ∗∗∗ Nokia Deepfield global analysis shows most DDoS attacks originate from fewer than 50 hosting companies ∗∗∗ --------------------------------------------- In-depth analysis across large sample of networks globally fingerprints and traces origins of most DDoS attacks (by frequency and traffic volume)[...] --------------------------------------------- https://www.nokia.com/about-us/news/releases/2021/06/14/nokia-deepfield-glo… ∗∗∗ The First Step: Initial Access Leads to Ransomware ∗∗∗ --------------------------------------------- Ransomware attacks still use email -- but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access… ∗∗∗ Achtung: Amazon-Bestellungen nicht außerhalb der Plattform abwickeln! ∗∗∗ --------------------------------------------- Über Amazon zu bestellen ist für viele ein einfacher Weg, um verschiedenste Produkte an einem Ort zu kaufen. Doch auch auf Amazon stößt man auf betrügerische Angebote! Wenn Amazon-HändlerInnen die Bestellung über E-Mail abwickeln wollen, sollten Sie vorsichtig sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-amazon-bestellungen-nicht-au… ∗∗∗ On the Security of RFID-based TOTP Hardware Tokens ∗∗∗ --------------------------------------------- Matthias Deeg und Gerhard Klostermeier untersuchten zwei unterschiedliche RFID-basierte TOTP Hardware-Token, das OTCP-P2 und das Protectimus SLIM NFC. --------------------------------------------- https://www.syss.de/pentest-blog/on-the-security-of-rfid-based-totp-hardwar… ∗∗∗ Ukrainian police arrest Clop ransomware members, seize server infrastructure ∗∗∗ --------------------------------------------- Multiple suspects believed to be linked to the Clop ransomware cartel have been detained in Ukraine this week after a joint operation from law enforcement agencies from Ukraine, South Korea, and the US. --------------------------------------------- https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-sei… ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap: Updates für NAS beseitigen aus der Ferne ausnutzbare Schwachstelle ∗∗∗ --------------------------------------------- Betriebssystem-Updates für Qnaps Netzwerkspeicher (NAS) schließen zwei mit "Medium" bewertete Schwachstellen, von denen eine übers Internet attackierbar ist. --------------------------------------------- https://heise.de/-6072554 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (prosody, python-urllib3, and xen), Fedora (dino, dotnet3.1, dotnet5.0, and vmaf), Oracle (gupnp, kernel, and kernel-container), Red Hat (gupnp), Scientific Linux (kernel), SUSE (java-1_8_0-openjdk, kernel, snakeyaml, and xorg-x11-libX11), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/860004/ ∗∗∗ ZDI-21-502: An Information Disclosure Bug in ISC BIND server ∗∗∗ --------------------------------------------- You should verify you have a patched version of BIND as many OS distributions provide BIND packages that differ from the official ISC release versions. --------------------------------------------- https://www.thezdi.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-… ∗∗∗ Security Advisory - Out-Of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210616-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.8, V5.1.0.9 and V6.0.0.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specifically crafted select statement. (CVE-2021-29702) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Resilient App Host secrets are not encrypted (CVE-2021-20567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-app-host-secret… ∗∗∗ Cross-Site Request Forgery Patched in WP Fluent Forms ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-i… ∗∗∗ Synology-SA-21:21 Audio Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_21 ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0660 ∗∗∗ ThroughTek P2P SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01 ∗∗∗ Automation Direct CLICK PLC CPU Modules ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-02 ∗∗∗ SYSS-2021-022, SYSS-2021-023, SYSS-2021-025, SYSS-2021-026: Mehrere Schwachstellen in HR-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-022-syss-2021-023-syss-2021-025-… ∗∗∗ SYSS-2021-007: Protectimus SLIM NFC – External Control of System or Configuration Setting (CWE-15) (CVE-2021-32033) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-007-protectimus-slim-nfc-externa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2021
by Daily end-of-shift report 15 Jun '21

15 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 14-06-2021 18:00 − Dienstag 15-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Paradise Ransomware source code released on a hacking forum ∗∗∗ --------------------------------------------- The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-source-c… ∗∗∗ Andariel evolves to target South Korea with ransomware ∗∗∗ --------------------------------------------- In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. --------------------------------------------- https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomwa… ∗∗∗ Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th) ∗∗∗ --------------------------------------------- Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. --------------------------------------------- https://isc.sans.edu/diary/rss/27528 ∗∗∗ Experts Shed Light On Distinctive Tactics Used by Hades Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER. --------------------------------------------- https://thehackernews.com/2021/06/experts-shed-light-on-distinctive.html ∗∗∗ What’s past is prologue – A new world of critical infrastructure security ∗∗∗ --------------------------------------------- Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. --------------------------------------------- https://blog.talosintelligence.com/2021/06/new-world-after-pipeline-ransomw… ∗∗∗ Tracking Amazon delivery staff ∗∗∗ --------------------------------------------- The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. --------------------------------------------- https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staf… ∗∗∗ Beantragen Sie Kredite nicht auf ulacglobalfinanzen.com ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach einem Kredit und recherchieren im Internet günstige Konditionen? Möglicherweise kommt Ihnen dann ulacglobalfinanzen.com unter – eine unseriöse Kreditgesellschaft mit großartigen Konditionen und unkomplizierter Abwicklung. Wer dort um einen Kredit ansucht, verliert jedoch Geld und übermittelt Kriminellen persönliche Daten! --------------------------------------------- https://www.watchlist-internet.at/news/beantragen-sie-kredite-nicht-auf-ula… ∗∗∗ Vishing: What is it and how do I avoid getting scammed? ∗∗∗ --------------------------------------------- How do vishing scams work, how do they impact businesses and individuals, and how can you protect yourself, your family and your business? --------------------------------------------- https://www.welivesecurity.com/2021/06/14/vishing-what-is-it-how-avoid-gett… ∗∗∗ Ransomware attacks continue to Surge, hitting a 93% increase year over year ∗∗∗ --------------------------------------------- Number of organizations impacted by ransomware has risen to 1210 in June 2021. Check Point Research sees a 41% increase in attacks since the beginning of 2021 and a 93% increase year over year. --------------------------------------------- https://blog.checkpoint.com/2021/06/14/ransomware-attacks-continue-to-surge… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall schließt Denial-of-Service-Lücke in Firewall-Betriebssystem SonicOS ∗∗∗ --------------------------------------------- Das webbasierte Management-Interface einiger SonicOS-Versionen hätte mittels spezieller POST-Requests lahmgelegt werden können. Updates ändern das. --------------------------------------------- https://heise.de/-6071069 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, dhcp, firefox, glib2, hivex, kernel, postgresql, qemu-kvm, qt5-qtimageformats, samba, and xorg-x11-server), Fedora (kernel and kernel-tools), Oracle (kernel and postgresql), Red Hat (dhcp and gupnp), Scientific Linux (gupnp and postgresql), SUSE (postgresql10 and xterm), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/859842/ ∗∗∗ iOS 12.5.4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212548 ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential Cross Site Scripting (XSS) CVE-2020-5000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: Genivia gSOAP vulnerabilities affect IBM Spectrum Protect for Virtual Environments:Data Protection for VMware and Spectrum Protect Client (CVE-2020-13575, CVE-2020-13578, CVE-2020-13574, CVE-2020-13577, CVE-2020-13576, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-genivia-gsoap-vulnerabili… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-27290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2021
by Daily end-of-shift report 14 Jun '21

14 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-06-2021 18:00 − Montag 14-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== *** DDoS Angriffe gegen Unternehmen in Österreich *** --------------------------------------------- Seit einigen Wochen versucht eine Gruppe, die sich "Fancy Lazarus" nennt, mittels DDoS-Angriffen und der Androhung von Folgeangriffen, Schutzgelder zu erpressen. Vergleichbare Angriffe gab es global auch schon ab August 2020 unter ähnlichen Namen. Nachdem wir Meldungen von Partner-CERTs an uns über Angriffe auf Ziele in anderen EU Staaten bekommen haben, sind jetzt auch in Österreich einige Fälle aufgetreten. --------------------------------------------- https://cert.at/de/warnungen/2021/6/ddos-angriffe-gegen-unternehmen-in-oste… ∗∗∗ Password Attacks 101 ∗∗∗ --------------------------------------------- According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number hit 30%. Brute force attacks have a similar share, accounting for 18% of all breaches, and 34% of those for small businesses. Why are password attacks like brute forcing so effective? And how exactly do they work? Let’s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes. --------------------------------------------- https://blog.sucuri.net/2021/06/3-password-attacks-101.html ∗∗∗ Macher der Ransomware Avaddon geben auf und veröffentlichen Schlüssel ∗∗∗ --------------------------------------------- Es ist ein kostenloses Entschlüsselungstool für Opfer des Erpressungstrojaners Avaddon erschienen. --------------------------------------------- https://heise.de/-6070028 ∗∗∗ Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly. --------------------------------------------- https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-… ∗∗∗ Micropatch for Another Remote Code Execution Issue in Internet Explorer (CVE-2021-31959) ∗∗∗ --------------------------------------------- Windows Updates brought a fix for another "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero, very similar to this vulnerability discovered also discovered by Ivan and patched in May.Ivan published details and a proof-of-concept three days ago and we took these to reproduce the vulnerability in our lab and create a micropatch for it. --------------------------------------------- https://blog.0patch.com/2021/06/micropatch-for-another-remote-code.html ∗∗∗ Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs ∗∗∗ --------------------------------------------- I recently came across an interesting bug in the Microsoft Power Apps service which, despite its simplicity, can be leveraged by an attacker to gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows. The bug has since been fixed by Microsoft, but in this blog we’re going to see how it /could/ have been exploited. --------------------------------------------- https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-i… ===================== = Vulnerabilities = ===================== ∗∗∗ High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin ∗∗∗ --------------------------------------------- We initially reached out to the plugin’s developer on May 21, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details on May 24, 2021. A patch was quickly released on May 28, 2021 in version 2.6.0. We highly recommend updating to the latest patched version available, 2.6.0, immediately. --------------------------------------------- https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, gitlab, inetutils, isync, kube-apiserver, nettle, polkit, python-urllib3, python-websockets, thunderbird, and wireshark-cli), Debian (squid3), Fedora (glibc, libxml2, mingw-openjpeg2, and openjpeg2), Mageia (djvulibre, docker-containerd, exif, gnuchess, irssi, jasper, kernel, kernel-linus, microcode, python-lxml, python-pygments, rust, slurm, and wpa_supplicant, hostapd), openSUSE (389-ds and pam_radius), Oracle (.NET Core 3.1, container-tools:3.0, container-tools:ol8, krb5, microcode_ctl, postgresql:12, postgresql:13, and runc), Red Hat (dhcp, postgresql, postgresql:10, postgresql:12, postgresql:9.6, rh-postgresql10-postgresql, rh-postgresql12-postgresql, and rh-postgresql13-postgresql), Scientific Linux (dhcp and microcode_ctl), SUSE (ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone, crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store, freeradius-server, libjpeg-turbo, spice, and squid), and Ubuntu (rpcbind). --------------------------------------------- https://lwn.net/Articles/859669/ ∗∗∗ Security Bulletin: Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential caching vulnerability (CVE-2020-5003 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-financi… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ CISA Releases Advisory on ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/14/cisa-releases-adv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2021
by Daily end-of-shift report 11 Jun '21

11 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-06-2021 18:00 − Freitag 11-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- With Python getting more and more popular, especially on Microsoft Operating systems, it's common to find malicious Python scripts today. --------------------------------------------- https://isc.sans.edu/diary/rss/27514 ∗∗∗ SQL Injection: Gezielte Maßnahmen statt Block Lists ∗∗∗ --------------------------------------------- Bei Schwachstellen im Web nimmt SQL Injection nach wie vor eine führende Rolle ein, dabei ist die Abwehr gar nicht schwer. --------------------------------------------- https://heise.de/-6067640 ∗∗∗ Why hackers don’t fly coach ∗∗∗ --------------------------------------------- Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain (AISD). --------------------------------------------- https://www.pentestpartners.com/security-blog/why-hackers-dont-fly-coach/ ∗∗∗ Unbefugter Zugriff auf Ihr PayPal-Konto? Ignorieren Sie diese E-Mail! ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle eine Phishing-Mail im Namen von PayPal. Angeblich gäbe es ungewöhnliche Aktivitäten auf Ihrem PayPal-Konto. Daher müssten Sie sich einloggen und Ihre Identität bestätigen. Gehen Sie nicht auf die Forderungen ein. Kriminelle versuchen Zugang zu Ihrem PayPal-Konto zu bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/unbefugter-zugriff-auf-ihr-paypal-ko… ∗∗∗ Proxy Windows Tooling via SOCKS ∗∗∗ --------------------------------------------- Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion. --------------------------------------------- https://posts.specterops.io/proxy-windows-tooling-via-socks-c1af66daeef3 ∗∗∗ BackdoorDiplomacy: Upgrading from Quarian to Turian ∗∗∗ --------------------------------------------- ESET researchers discover a new campaign that evolved from the Quarian backdoor. --------------------------------------------- https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quari… ∗∗∗ Breaking SSL Locks: App Developers Behaving Badly ∗∗∗ --------------------------------------------- Symantec analyzed five years’ worth of Android and iOS apps to see how many are sending data securely. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mo… ∗∗∗ Authorities seize SlilPP, a marketplace for stolen login credentials ∗∗∗ --------------------------------------------- The US Department of Justice announced today it seized the servers and domains of SlilPP, a well-known online marketplace where criminal groups assembled to trade stolen login credentials. --------------------------------------------- https://therecord.media/authorities-seize-slilpp-a-marketplace-for-stolen-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers can exploit bugs in Samsung pre-installed apps to spy on users ∗∗∗ --------------------------------------------- Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-exploit-bugs-in-… ∗∗∗ Qnap sichert Switches und Netzwerkspeicher vor unberechtigten Zugriffen ab ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Netzwerkgeräte von Qnap. --------------------------------------------- https://heise.de/-6068667 ∗∗∗ Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog) ∗∗∗ --------------------------------------------- On the GitHub blog, Kevin Backhouse writes about a privilege escalation vulnerability in polkit, which enables an unprivileged local user to get a root shell on the system. CVE-2021-3560 is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request. --------------------------------------------- https://lwn.net/Articles/859064/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp), Fedora (firefox, lasso, mod_auth_openidc, nginx, redis, and squid), Oracle (.NET 5.0, container-tools:2.0, dhcp, gupnp, hivex, kernel, krb5, libwebp, nginx:1.16, postgresql:10, and postgresql:9.6), SUSE (containerd, docker, runc, csync2, and salt), and Ubuntu (libimage-exiftool-perl, libwebp, and rpcbind). --------------------------------------------- https://lwn.net/Articles/859192/ ∗∗∗ WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN70566757/ ∗∗∗ Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/27518 ∗∗∗ ZDI-21-682: (0Day) D-Link DAP-1330 HNAP Cookie Header Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-682/ ∗∗∗ ZDI-21-681: (0Day) D-Link DAP-1330 lighttpd http_parse_request Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-681/ ∗∗∗ ZDI-21-680: (0Day) D-Link DAP-1330 lighttpd get_soap_action Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-680/ ∗∗∗ ZDI-21-679: (0Day) D-Link DAP-1330 HNAP checkValidRequest Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-679/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to cacheable SSL Pages (CVE-2021-20396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2021
by Daily end-of-shift report 10 Jun '21

10 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-06-2021 18:00 − Donnerstag 10-06-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Cloud Atlas Navigates Us Into New Waters ∗∗∗ --------------------------------------------- Learn how to interpret nameserver activity to enumerate infrastructure in the context of a recent Cloud Atlas example investigated by Senior Security Researcher, Chad Anderson. --------------------------------------------- https://www.domaintools.com/resources/blog/cloud-atlas-navigates-us-into-ne… ∗∗∗ BloodHound – Sniffing Out the Path Through Windows Domains ∗∗∗ --------------------------------------------- BloodHound is as a tool allowing for the analysis of AD rights and relations, focusing on the ones that an attacker may abuse. --------------------------------------------- https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-doma… ∗∗∗ Quarterly Report: Incident Response trends from Spring 2021 ∗∗∗ --------------------------------------------- While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. --------------------------------------------- https://blog.talosintelligence.com/2021/06/quarterly-report-incident-respon… ∗∗∗ CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets ∗∗∗ --------------------------------------------- CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/09/cisa-addresses-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Googles Webbrowser Chrome könnten bevorstehen ∗∗∗ --------------------------------------------- Es ist eine gegen verschiedene Attacken abgesicherte Version des Webbrowsers Chrome erschienen. --------------------------------------------- https://heise.de/-6067353 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, lasso, and rails), Fedora (exiv2, firefox, and microcode_ctl), openSUSE (python-HyperKitty), Oracle (389-ds-base, qemu-kvm, qt5-qtimageformats, and samba), Red Hat (container-tools:3.0, container-tools:rhel8, postgresql:12, and postgresql:13), Scientific Linux (389-ds-base, hivex, libwebp, qemu-kvm, qt5-qtimageformats, samba, and thunderbird), SUSE (caribou, djvulibre, firefox, gstreamer-plugins-bad, kernel, libopenmpt, libxml2, --------------------------------------------- https://lwn.net/Articles/859008/ ∗∗∗ ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- This advisory contains mitigations for Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Cryptographic Key, Cleartext Storage of Sensitive Information, Cross-site Scripting, Storing Passwords in a Recoverable Format, and Improper Privilege Management vulnerabilities in the ZOLL Defibrillator Dashboard software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01 ∗∗∗ Rockwell Automation FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Protection Mechanism Failure vulnerability in Rockwell Automations Factory Talk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-01 ∗∗∗ AGG Software Web Server Plugin ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, and Cross-site Scripting vulnerabilities in AGG Softwares Server Plugin. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-02 ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210609-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Eclipse Jetty (CVE-2021-28163, CVE-2021-28164, CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2020-5024, CVE-2020-5025, CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2021
by Daily end-of-shift report 09 Jun '21

09 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-06-2021 18:00 − Mittwoch 09-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Intel fixes 73 vulnerabilities in June 2021 Platform Update ∗∗∗ --------------------------------------------- Intel has addressed 73 security vulnerabilities as part of the June 2021 Patch Tuesday, including high severity ones impacting some versions of Intels Security Library and the BIOS firmware for Intel processors. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-fixes-73-vulnerabiliti… ∗∗∗ PuzzleMaker attacks with Chrome zero-day exploit chain ∗∗∗ --------------------------------------------- We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. --------------------------------------------- https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/ ∗∗∗ Alpaca-Attacke: Angreifer könnten mit TLS gesicherte Verbindungen attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen theoretische Attacken auf TLS-Verbindungen. Angreifer könnten beispielsweise Sessions kapern. --------------------------------------------- https://heise.de/-6066915 ∗∗∗ Nameless Malware Discovered by NordLocker is Now in Have I Been Pwned ∗∗∗ --------------------------------------------- [...] they're sitting on a bunch of compromised personal info, now what? As with the two law enforcement agencies, NordLocker's goal is to inform impacted parties which is where HIBP comes in so as of now, all 1,121,484 compromised email addresses are searchable. --------------------------------------------- https://www.troyhunt.com/nameless-malware-discovered-by-nordlocker-is-now-i… ∗∗∗ Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning ∗∗∗ --------------------------------------------- Cisco’s Smart Install protocol is still being abused in attacks — five years after the networking giant issued its first warning — and there are still roughly 18,000 internet-exposed devices that could be targeted by hackers. --------------------------------------------- https://www.securityweek.com/cisco-smart-install-protocol-still-abused-atta… ∗∗∗ Kleinanzeigen-Betrug: Potenzielle KäuferInnen wollen Zahlung über DHL abwickeln ∗∗∗ --------------------------------------------- Aktuell wenden Kriminelle in Kleinanzeigenplattformen wie willhaben, shpock und Co vermehrt den DHL-Trick an, um VerkäuferInnen Geld zu stehlen. Dabei geben sich Kriminelle als KäuferInnen aus und schlagen vor, die Zahlung über DHL abzuwickeln. Sie behaupten, DHL verwalte nun Zahlungen, um KäuferInnen und VerkäuferInnen eine sichere Abwicklung zu ermöglichen. In Wahrheit stecken die Kriminellen hinter den DHL-Nachrichten und versuchen so an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigen-betrug-potenzielle-kae… ∗∗∗ The Sysrv-hello Cryptojacking Botnet: Here’s What’s New ∗∗∗ --------------------------------------------- The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. Like many of the threat actor tools weve covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptoja… ===================== = Vulnerabilities = ===================== ∗∗∗ Unsachgemäße Authentifizierung in SAP NetWeaver ABAP Server und ABAP Platform ∗∗∗ --------------------------------------------- Im Rahmen des Patchdays Juni 2021 veröffentlichte die SAP SE den Sicherheitshinweis 3007182, der einen schwerwiegenden Design-Fehler adressiert,… --------------------------------------------- https://sec-consult.com/de/blog/detail/unsachgemaesse-authentifizierung-in-… ∗∗∗ Updates verfügbar: Schwachstellen in Message-Brokern RabbitMQ, EMQ X und VerneMQ ∗∗∗ --------------------------------------------- Die Message-Broker sind für Denial-of-Service-Angriffe über das IoT-Protokoll MQTT anfällig. Aktuelle Patches sind verfügbar, Sie sollten sie schnell anwenden. --------------------------------------------- https://heise.de/-6065996 ∗∗∗ XSA-375 - Speculative Code Store Bypass ∗∗∗ --------------------------------------------- Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Resolution: Applying the appropriate attached patch resolves this issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-375.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (eterm, mrxvt, and rxvt), Mageia (cgal, curl, exiv2, polkit, squid, thunderbird, and upx), openSUSE (firefox and libX11), Oracle (libwebp, nginx:1.18, and thunderbird), Red Hat (.NET 5.0, .NET Core 3.1, 389-ds-base, dhcp, gupnp, hivex, kernel, kernel-rt, libldb, libwebp, microcode_ctl, nettle, postgresql:10, postgresql:9.6, qemu-kvm, qt5-qtimageformats, rh-dotnet50-dotnet, and samba), SUSE (apache2-mod_auth_openidc, firefox, gstreamer-plugins-bad, kernel, libX11, pam_radius, qemu, runc, spice, and spice-gtk), and Ubuntu (intel-microcode and rpcbind). --------------------------------------------- https://lwn.net/Articles/858832/ ∗∗∗ Dell PowerEdge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- DSA-2021-078: Dell PowerEdge Server Security Advisory for a Trusted Platform Module (TPM) 1.2 Firmware Vulnerability DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0628 ∗∗∗ Xen: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Xen ausnutzen, um Informationen offenzulegen, seine Privilegien zu erhöhen oder einen Denial of Service Zustand herbeizuführen. * XSA-377: x86: TSX Async Abort protections not restored after S3 * XSA-374: Guest triggered use-after-free in Linux xen-netback * XSA-373: inappropriate x86 IOMMU timeout detection / handling * XSA-372: xen/arm: Boot modules are not scrubbed --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0627 ∗∗∗ Multiple vulnerabilities in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-478243-BT: Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.Customers are strongly advised to upgrade to the fixed versions. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. * APSB21-36 Security update available for Adobe Connect * APSB21-37 Security update available for Adobe Acrobat and Reader * APSB21-38 Security update available for Adobe Photoshop * APSB21-39 Security update available for Adobe Experience Manager * APSB21-41 Security update available for Adobe Creative Cloud Desktop Application * APSB21-44 Security update available for Adobe RoboHelp Server * APSB21-46 Security update available for Adobe Photoshop Elements * APSB21-47 Security update available for Adobe Premiere Elements * APSB21-49 Security update available for Adobe After Effects * APSB21-50 Security update available for Adobe Animate --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/08/adobe-releases-se… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) stores keystore passwords in plain after a manuel edit, which can be read by a local user. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Nettle cryptography library vulnerability CVE-2021-20305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33101555?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-11811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01512680?utm_source=f5support&utm_mediu… ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01 ∗∗∗ Open Design Alliance Drawings SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02 ∗∗∗ AVEVA InTouch ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-03 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-04 ∗∗∗ Schneider Electric Modicon X80 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-05 ∗∗∗ Thales Sentinel LDK Run-Time Environment ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2021
by Daily end-of-shift report 08 Jun '21

08 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 07-06-2021 18:00 − Dienstag 08-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Office MSGraph vulnerability could lead to code execution ∗∗∗ --------------------------------------------- Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-msgraph-vul… ∗∗∗ Picture this: Malware Hides in Steam Profile Images ∗∗∗ --------------------------------------------- SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam. The developers seem to have a few more ambitious goals. --------------------------------------------- https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images ∗∗∗ Sicherheitslücke FragAttacks: FritzOS-Updates für alte Fritzboxen ∗∗∗ --------------------------------------------- Der Mittelklasse-Router Fritzbox 3490 aus dem Jahr 2014 bekommt das aktuelle FritzOS 7.27 spendiert. Weitere Altmodelle könnten folgen. --------------------------------------------- https://heise.de/-6065367 ∗∗∗ Patchday Android: Kritische System- und Qualcomm-Lücken geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Android-Geräte attackieren und unter anderem Informationen leaken oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-6064923 ∗∗∗ Organizations Warned About DoS Flaws in Popular Open Source Message Brokers ∗∗∗ --------------------------------------------- Organizations have been warned about denial of service (DoS) vulnerabilities found in RabbitMQ, EMQ X and VerneMQ, three widely used open source message brokers. --------------------------------------------- https://www.securityweek.com/organizations-warned-about-dos-flaws-popular-o… ∗∗∗ Vorsicht vor Werbung unseriöser Online-Shops! ∗∗∗ --------------------------------------------- Egal ob Facebook, Instagram, Tiktok oder Google: All diese Plattformen sind für Unternehmen attraktive Kanäle, um ihre Werbung zu platzieren. Das gilt allerdings nicht nur für seriöse, sondern auch für unseriöse Unternehmen. Immer wieder melden LeserInnen der Watchlist Internet, dass sie durch Werbeeinschaltungen auf einen problematischen Online-Shop gestoßen sind. Eine aktuelle Untersuchung der Arbeiterkammer Wien in Zusammenarbeit mit der Watchlist Internet [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-werbung-unserioeser-onl… ∗∗∗ TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint ∗∗∗ --------------------------------------------- We have identified indicators traditionally pointing to WatchDog operations being used by the TeamTNT cryptojacking group. --------------------------------------------- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operatio… ===================== = Vulnerabilities = ===================== ∗∗∗ Wago: Updates fixen gefährliche Lücken in industriellen Steuerungssystemen ∗∗∗ --------------------------------------------- Seit Mai veröffentlicht Wago nach und nach wichtige Firmware-Updates gegen kritische Lücken in speicherprogrammierbaren Steuerungen (PLC) der Serie 750. --------------------------------------------- https://heise.de/-6065199 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (musl), Mageia (dnsmasq, firefox, graphviz, libebml, libpano13, librsvg, libxml2, lz4, mpv, tar, and vlc), openSUSE (csync2, python-py, and snakeyaml), Oracle (qemu), Red Hat (container-tools:2.0, kernel, kpatch-patch, nettle, nginx:1.16, and rh-nginx116-nginx), Slackware (httpd and polkit), SUSE (389-ds, gstreamer-plugins-bad, shim, and snakeyaml), and Ubuntu (gnome-autoar and isc-dhcp). --------------------------------------------- https://lwn.net/Articles/858644/ ∗∗∗ SAP Patchday Juni ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0616 ∗∗∗ Citrix Cloud Connector Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316690 ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX297155 ∗∗∗ SSA-133038: Multiple Modfem File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-133038.txt ∗∗∗ SSA-200951: Multiple Vulnerabilities in Third-Party Component libcurl of TIM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-200951.txt ∗∗∗ SSA-208356: DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-208356.txt ∗∗∗ SSA-211752: Multiple NTP-Client Related Vulnerabilities in SIMATIC NET CP 443-1 OPC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt ∗∗∗ SSA-419820: Denial-of-Service Vulnerability in TIM 1531 IRC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-419820.txt ∗∗∗ SSA-522654: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-522654.txt ∗∗∗ SSA-645530: TIFF File Parsing Vulnerability in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-645530.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications 4.3 nodejs and nodejs-express Appsody stacks is vulnerable to information disclosure, buffer overflow and prototype pollution exposures ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2021
by Daily end-of-shift report 07 Jun '21

07 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-06-2021 18:00 − Montag 07-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer attackieren VMware vCenter Server ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer es auf eine kritische Lücke in vCenter Server abgesehen haben. --------------------------------------------- https://heise.de/-6063523 ∗∗∗ Exploit für kritische Lücke in Rocket.Chat veröffentlicht ∗∗∗ --------------------------------------------- Wer die im Mai geschlossene kritische Lücke in Rocket.Chat noch nicht gefixt hat, sollte das schleunigst nachholen. --------------------------------------------- https://heise.de/-6063795 ∗∗∗ Malware family naming hell is our own fault ∗∗∗ --------------------------------------------- EternalPetya has more than 10 different names. Many do not realize that CryptoLocker is long dead. These are not isolated cases but symptoms of a systemic problem: The way we name malware does not work. Why does it happen and how can we solve it? --------------------------------------------- https://www.gdatasoftware.com/blog/malware-family-naming-hell ∗∗∗ Gootkit: the cautious Trojan ∗∗∗ --------------------------------------------- Gootkit is complex multi-stage banking malware capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms. --------------------------------------------- https://securelist.com/gootkit-the-cautious-trojan/102731/ ∗∗∗ OSX/Hydromac ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Taha Karim of ConfiantIntel, dives into a new macOS adware specimen: Hydromac. --------------------------------------------- https://objective-see.com/blog/blog_0x65.html ∗∗∗ WordPress Redirect Hack via Test0.com/Default7.com ∗∗∗ --------------------------------------------- Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it’s some malicious resource, scam site or a commercial site that buys traffic from cyber criminals (e.g. counterfeit drugs or replica merchandise). Types of Malicious Redirects There are two major types of malicious redirects: server-side redirects and client-side redirects. --------------------------------------------- https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-defau… ∗∗∗ Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments ∗∗∗ --------------------------------------------- The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers. --------------------------------------------- https://unit42.paloaltonetworks.com/siloscape/ ∗∗∗ This phishing email is pushing password-stealing malware to Windows PCs ∗∗∗ --------------------------------------------- An old form of trojan malware has been updated with new abilities, warn cybersecurity researchers. --------------------------------------------- https://www.zdnet.com/article/this-phishing-email-is-pushing-password-steal… ∗∗∗ Hacking space: How to pwn a satellite ∗∗∗ --------------------------------------------- Hacking an orbiting satellite is not light years away - here’s how things can go wrong in outer space --------------------------------------------- https://www.welivesecurity.com/2021/06/07/hacking-space-how-pwn-satellite/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, python-django, ruby-nokogiri, and thunderbird), Fedora (dhcp, polkit, transfig, and wireshark), openSUSE (chromium, inn, kernel, redis, and umoci), Oracle (pki-core:10.6), Red Hat (libwebp, nginx:1.18, rh-nginx118-nginx, and thunderbird), SUSE (gstreamer-plugins-bad), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle). --------------------------------------------- https://lwn.net/Articles/858561/ ∗∗∗ Microsoft Edge: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0612 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0611 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0613 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-curl-libcurl-vulnerabilit… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect JRE in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Elastic Storage Server GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0, and earlier (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: IBM DataPower Gateway GUI permits use of GET ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-gui… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to Directory Traversal vulnerability (CVE-2021-20517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2021
by Daily end-of-shift report 04 Jun '21

04 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-06-2021 18:00 − Freitag 04-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Phishing-Mail von World4You im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit eine gefälschte World4You-Phishingmail an Webseiten-BetreiberInnnen. Darin heißt es, dass die registrierte Domain der EmpfängerInnen abläuft und daher verlängert werden muss. Gehen Sie nicht auf die Zahlungsforderung ein. Denn das Geld und Ihre Kreditkartendaten landen direkt in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-mail-von-world4you… ∗∗∗ Schlupflöcher für Schadcode in Videokonferenz-Software Cisco Webex geschlossen ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für mehrere Produkte wie Router und Webex veröffentlicht. --------------------------------------------- https://heise.de/-6062229 ∗∗∗ Email spoofing: how attackers impersonate legitimate senders ∗∗∗ --------------------------------------------- This article analyzes different ways of the spoofing email addresses through changing the From header, which provides information about the senders name and address. --------------------------------------------- https://securelist.com/email-spoofing-types/102703/ ∗∗∗ Exchange Servers Targeted by ‘Epsilon Red’ Malware ∗∗∗ --------------------------------------------- REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests. --------------------------------------------- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/ ∗∗∗ How to hack into 5500 accounts… just using “credential stuffing” ∗∗∗ --------------------------------------------- Passwords - dont just pay them lip service. --------------------------------------------- https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-… ∗∗∗ Russian Dolls VBS Obfuscation, (Fri, Jun 4th) ∗∗∗ --------------------------------------------- We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script called "presentation_37142.vbs" --------------------------------------------- https://isc.sans.edu/diary/rss/27494 ∗∗∗ Build, Hack, and Defend Azure Identity ∗∗∗ --------------------------------------------- An Introduction to PurpleCloud Hybrid + Identity Cyber Range --------------------------------------------- https://www.sans.org/blog/build-hack-defend-azure-identity?msc=rss ∗∗∗ Necro Python bot adds new exploits and Tezos mining to its bag of tricks ∗∗∗ --------------------------------------------- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of [...] --------------------------------------------- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks… ∗∗∗ Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Application and network performance management company NETSCOUT warned organizations this week that STUN servers have been increasingly abused for distributed denial-of-service (DDoS) attacks, and there are tens of thousands of servers that could be abused for such attacks by malicious actors. --------------------------------------------- https://www.securityweek.com/organizations-warned-stun-servers-increasingly… ∗∗∗ ESET Threat Report T1 2021 ∗∗∗ --------------------------------------------- A view of the T1 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts The post ESET Threat Report T1 2021 appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/ ∗∗∗ WebLogic RCE Leads to XMRig ∗∗∗ --------------------------------------------- This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing [...] --------------------------------------------- https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/ ∗∗∗ CISA Releases Best Practices for Mapping to MITRE ATT&CK® ∗∗∗ --------------------------------------------- As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework. CISA created this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE, which [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/02/cisa-releases-bes… ∗∗∗ FontPack: A dangerous update ∗∗∗ --------------------------------------------- Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates? --------------------------------------------- https://blog.group-ib.com/fontpack ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, dhclient, dhcp, firefox, keycloak, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, opera, packagekit, pam-u2f, postgresql, rabbitmq, redis, ruby-bundler, and zint), Debian (caribou, firefox-esr, imagemagick, and isc-dhcp), Fedora (mapserver, mingw-python-pillow, and python-pillow), openSUSE (chromium), Red Hat (firefox, glib2, pki-core:10.6, polkit, rh-ruby26-ruby, and rh-ruby27-ruby), SUSE [...] --------------------------------------------- https://lwn.net/Articles/858144/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lasso), Fedora (mingw-djvulibre, mingw-exiv2, python-lxml, and singularity), openSUSE (ceph, dhcp, inn, nginx, opera, polkit, upx, and xstream), Oracle (firefox, perl, and polkit), Scientific Linux (firefox), SUSE (avahi, csync2, djvulibre, libwebp, polkit, python-py, slurm, slurm_18_08, thunderbird, and umoci), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...] --------------------------------------------- https://lwn.net/Articles/858331/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and SQL Injection vulnerabilities in Advantech iView IoT device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Security Advisory - Race Condition Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2021
by Daily end-of-shift report 02 Jun '21

02 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-06-2021 18:00 − Mittwoch 02-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Producing a trustworthy x86-based Linux appliance ∗∗∗ --------------------------------------------- Lets say youre building some form of appliance on top of general purpose x86 hardware. You want to be able to verify the software its running hasnt been tampered with. Whats the best approach with existing technology? --------------------------------------------- https://mjg59.dreamwidth.org/57199.html ∗∗∗ Cobalt Strike, a penetration testing tool abused by criminals ∗∗∗ --------------------------------------------- Cobalt Strike is a pen-testing tool that often ends up in the hands of cybercriminals. Are we providing them with the tools to attack us? ... If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking. --------------------------------------------- https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-pe… ∗∗∗ Jugendliche im Visier von Online‑Betrügern: 5 gängige Tricks ∗∗∗ --------------------------------------------- Von gefälschten Designerprodukten bis hin zu verlockenden Jobangeboten – wir stellen fünf verbreitete Betrugsmethoden vor, mit denen Kriminelle es auf Geld und Daten von Teenagern abgesehen haben --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/06/01/jugendliche-im-visier-von… ∗∗∗ Webseiten-BetreiberInnen aufgepasst: TM Österreich versendet betrügerische Mail! ∗∗∗ --------------------------------------------- Webseiten-BetreiberInnen melden uns ein betrügerisches E-Mail der TM Österreich. Dort wird behauptet, dass jemand Ihre Domain mit einer anderen Endung registrieren möchte. TM Österreich bietet Ihnen an, diese zusätzliche Domain zu registrieren, um so Probleme wie Umsatzeinbußen oder Imageschäden zu vermeiden. Vorsicht: TM Österreich ist Fake. Nehmen Sie daher das Angebot auf keinen Fall an! --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ Shodan Verified Vulns 2021-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2021-06-01 boten unsere Shodan-Daten folgendes Bild der Schwachstellen in Österreich: Wie zu erwarten war, ist die Anzahl der verwundbaren Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) weiter zurückgegangen; laut unseren aktuellsten Scans ist die Zahl mittlerweile sogar unter 100. --------------------------------------------- https://cert.at/de/aktuelles/2021/6/shodan-verified-vulns-2021-06-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis ∗∗∗ --------------------------------------------- On February 3rd we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module... Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by scanning the modules in Vdoo’s product security platform, which contains a unique proprietary capability of detecting potential zero-days automatically. The new vulnerabilities werefixed by Realtek, following another responsible disclosure. --------------------------------------------- https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day/ ∗∗∗ Overview of F5 vulnerabilities (June 2021) ∗∗∗ --------------------------------------------- On June 1, 2021, F5 announced the following security issues. High CVEs * K08503505: BIG-IP Edge Client for Windows vulnerability CVE-2021-23022, CVSS score: 7.0 (High) * K33757590: BIG-IP Edge Client for Windows vulnerability CVE-2021-23023, CVSS score: 7.0 (High) Medium CVEs * K06024431: BIG-IQ vulnerability CVE-2021-23024, CVSS score: 6.5 (Medium) --------------------------------------------- https://support.f5.com/csp/article/K67501282 ∗∗∗ Critical 0-day in Fancy Product Designer Under Active Attack ∗∗∗ --------------------------------------------- On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites. ... Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected. --------------------------------------------- https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-desi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (dhcp), openSUSE (gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly and slurm), Oracle (glib2 and kernel), Red Hat (kernel, kernel-rt, perl, and tcpdump), Scientific Linux (glib2), SUSE (bind, dhcp, lz4, and shim), and Ubuntu (dnsmasq, lasso, and python-django). --------------------------------------------- https://lwn.net/Articles/857978/ ∗∗∗ Synology DiskStation Manager: Schwachstelle ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE-2021-29088 Ein lokaler Angreifer kann eine Schwachstellen in Synology DiskStation Manager ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0596 ∗∗∗ XSS vulnerability found in popular WYSIWYG website editor [Froala] ∗∗∗ --------------------------------------------- ...the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-found-in-popular-wysiwyg-we… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to Server-side Request Forgery and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HttpComponents and HttpCommons affect embedded WebSphere Application Server, which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection attack and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-152-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2021
by Daily end-of-shift report 01 Jun '21

01 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 31-05-2021 18:00 − Dienstag 01-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firefox 89 und ESR 78.11: Neue Browser-Versionen, neue Sicherheits-Updates ∗∗∗ --------------------------------------------- Das Mozilla-Team hat den frisch erschienenen Firefox-Versionen neben neuen Features auch Schwachstellen-Patches spendiert. --------------------------------------------- https://heise.de/-6059513 ∗∗∗ Kroatien Urlaub geplant? Nehmen Sie sich vor kostenpflichtigen Registrierungsseiten wie enter-croatia.com in Acht! ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen freuen sich darauf, endlich wieder nach Kroatien zu fahren. Durch die COVID-19-Pandemie gelten jedoch strengere Einreisebestimmungen, wie die Empfehlung einer kostenlosen Online-Registrierung. Anbieter wie die Visa Gate GmbH nutzen die Unsicherheit vieler TouristInnen aus und stellen kostenpflichtige Registrierungsseiten ins Netz. Wir empfehlen Ihnen, die (freiwillige) Online-Registrierung nicht über enter-croatia.com vorzunehmen! --------------------------------------------- https://www.watchlist-internet.at/news/kroatien-urlaub-geplant-nehmen-sie-s… ∗∗∗ Windows 10s package manager flooded with duplicate, malformed apps ∗∗∗ --------------------------------------------- Microsofts Windows 10 package manager Wingets GitHub has been flooded with duplicate apps and malformed manifest files raising concerns among developers with regards to the integrity of apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10s-package-manager-… ∗∗∗ Quick and dirty Python: nmap, (Mon, May 31st) ∗∗∗ --------------------------------------------- Continuing on from the "Quick and dirty Python: masscan" diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443. Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running. --------------------------------------------- https://isc.sans.edu/diary/rss/27480 ∗∗∗ Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st) ∗∗∗ --------------------------------------------- We recently identified a new Guildma/Astaroth campaign targeting South America, mainly Brazil, using a new variant of the malware. Guildma is known by its multiple-staged infection chain and evasion techniques to reach victim’s data and exfiltrate them. In a previous diary [1] at Morphus Labs, we analyzed a Guildma variant which employed an innovative strategy to stay active, using Facebook and YouTube to get a new list of its C2 servers. --------------------------------------------- https://isc.sans.edu/diary/rss/27482 ∗∗∗ Evadere Classifications ∗∗∗ --------------------------------------------- The term evasion is derived from the Latin word "evadere" which means - "To escape, to get away." The DOD defines evasion as - "The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control." [...] This made me think - what does evasion or bypass truly mean? Are there different categories that these evasion techniques fit into? Lastly, if these techniques are to fit into categories - how can detection engineers leverage these for engagements? --------------------------------------------- https://posts.specterops.io/evadere-classifications-8851a429c94b ∗∗∗ Revisiting the NSIS-based crypter ∗∗∗ --------------------------------------------- In this blog we look at the constantly evolving NSIS crypter which malware authors have been leveraging as a flexible tool to pack and encrypt their samples. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-b… ∗∗∗ TeamTNT botnet makes 50,000 victims over the last three months ∗∗∗ --------------------------------------------- TeamTNT, a crypto-mining botnet specialized in infecting misconfigured Docker and Kubernetes platforms, has compromised more than 50,000 systems over the last three months, between March and May 2021, security firm Trend Micro said last week. --------------------------------------------- https://therecord.media/teamtnt-botnet-makes-50000-victims-over-the-last-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 ∗∗∗ --------------------------------------------- On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of this vulnerability, see lasso.git NEWS. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cflow, chromium, eterm, gnutls, and kernel), Mageia (kernel and kernel-linus), Oracle (glib2), Red Hat (glib2, kernel, kernel-rt, and kpatch-patch), SUSE (curl, djvulibre, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, nginx, python-httplib2, and slurm), and Ubuntu (gupnp, libwebp, postgresql-10, postgresql-12, postgresql-13, and python3.8). --------------------------------------------- https://lwn.net/Articles/857830/ ∗∗∗ Security Bulletin: A format string security vulnerability has been identified in IBM Spectrum Scale (CVE-2021-29740) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-format-string-security-… ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2021
by Daily end-of-shift report 31 May '21

31 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-05-2021 18:00 − Montag 31-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager ∗∗∗ --------------------------------------------- Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen. --------------------------------------------- https://heise.de/-6057794 ∗∗∗ Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen ∗∗∗ --------------------------------------------- Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden. --------------------------------------------- https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vla… ∗∗∗ Threat spotlight: Conti, the ransomware used in the HSE healthcare attack ∗∗∗ --------------------------------------------- [...] In this blog, we’ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-con… ∗∗∗ PoC published for new Microsoft PatchGuard (KPP) bypass ∗∗∗ --------------------------------------------- A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. --------------------------------------------- https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypa… ∗∗∗ WooCommerce Credit Card Skimmer Hides in Plain Sight ∗∗∗ --------------------------------------------- Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration. --------------------------------------------- https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html ∗∗∗ On the Taxonomy and Evolution of Ransomware ∗∗∗ --------------------------------------------- Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge. --------------------------------------------- https://threatpost.com/taxonomy-evolution-ransomware/166462/ ∗∗∗ Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) ∗∗∗ --------------------------------------------- In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27472 ∗∗∗ Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) ∗∗∗ --------------------------------------------- New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released. --------------------------------------------- https://isc.sans.edu/diary/rss/27476 ∗∗∗ Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th) ∗∗∗ --------------------------------------------- One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS. --------------------------------------------- https://isc.sans.edu/diary/rss/27478 ∗∗∗ IT threat evolution Q1 2021 ∗∗∗ --------------------------------------------- SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021/102382/ ∗∗∗ IT threat evolution Q1 2021. Mobile statistics ∗∗∗ --------------------------------------------- In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/ ∗∗∗ IT threat evolution Q1 2021. Non-mobile statistics ∗∗∗ --------------------------------------------- In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/10… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4). --------------------------------------------- https://lwn.net/Articles/857737/ ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2021
by Daily end-of-shift report 28 May '21

28 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-05-2021 18:00 − Freitag 28-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI to share compromised passwords with Have I Been Pwned ∗∗∗ --------------------------------------------- The FBI will soon begin to share compromised passwords with Have I Been Pwneds Password Pwned service that were discovered during law enforcement investigations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-pas… ∗∗∗ Ransomware gangs slow decryptors prompt victims to seek alternatives ∗∗∗ --------------------------------------------- Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victims network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryp… ∗∗∗ Tracking BokBot (a.k.a. IcedID) Infrastructure ∗∗∗ --------------------------------------------- BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware. --------------------------------------------- https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/ ∗∗∗ Malicious PowerShell Hosted on script.google.com, (Fri, May 28th) ∗∗∗ --------------------------------------------- Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27468 ∗∗∗ Jetzt patchen! Kritische Lücke in HPE SIM geschlossen ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für Hewlett Packard Enterprise Systems Insight Manager (SIM) erschienen. --------------------------------------------- https://heise.de/-6056415 ∗∗∗ Falsifying and weaponizing certified PDFs ∗∗∗ --------------------------------------------- Certified PDFs are supposed to control modifications so that recipients know they havent been tampered with. It doesnt always work. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/falsifyi… ∗∗∗ Do you know your OpSec? ∗∗∗ --------------------------------------------- Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/do-you-know-your-opsec/ ∗∗∗ Urlaubsreif? Buchen Sie nicht über ferienhauspartner.co, fewopartner.co, holidaypartner.co & ferienpartner.co! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach ein Urlaubsdomizil für den nahenden Sommer? Wenn ja, könnten Sie auf betrügerische Webseiten stoßen. Denn Kriminelle bieten derzeit Ferienhäuser und Ferienwohnungen in Deutschland und Dänemark an, die per Vorkasse gebucht werden können. Doch Vorsicht: Das bezahlte Geld landet direkt in den Händen der Kriminellen, eine aufrechte Buchung gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsreif-buchen-sie-nicht-ueber-f… ∗∗∗ MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone ∗∗∗ --------------------------------------------- To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/mobile-inter/ ∗∗∗ Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat ∗∗∗ --------------------------------------------- A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape. --------------------------------------------- https://unit42.paloaltonetworks.com/docker-honeypot/ ∗∗∗ CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier ∗∗∗ --------------------------------------------- In April 2021, the ZDI received a Linux kernel submission that turned out to be an incorrect bounds calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. This bug was submitted to the program by Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf). Manfred Paul had successfully exploited two other eBPF verifier bugs in Pwn2Own 2020 and 2021 respectively. --------------------------------------------- https://www.thezdi.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-ca… ∗∗∗ The Race to Native Code Execution in PLCs ∗∗∗ --------------------------------------------- Claroty has found a severe memory protection bypass vulnerability (CVE-2020-15782) in Siemens PLCs, the SIMATIC S7-1200 and S7-1500. An attacker could abuse this vulnerability on PLCs with disabled access protection to gain read and write access anywhere on the PLC and remotely execute malicious code. --------------------------------------------- https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-… ∗∗∗ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns ∗∗∗ --------------------------------------------- On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs, Research Institutions, Government Agencies, International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL [...] --------------------------------------------- https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges customers to immediately patch NSM On-Prem bug ∗∗∗ --------------------------------------------- SonicWall urges customers to immediately patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-customers-to… ∗∗∗ SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families ∗∗∗ --------------------------------------------- SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-434534.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (chromium, curl, kernel, php-symfony3, php-symfony4, python-lxml, python-pip, and runc), Mageia (ceph and wireshark), openSUSE (mpv), Oracle (bind, idm:DL1, redis:6, slapi-nis, squid:4, and xorg-x11-server), SUSE (curl, nginx, postgresql10, postgresql12, postgresql13, slurm, slurm_18_08, and slurm_20_11), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/857581/ ∗∗∗ Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M ∗∗∗ --------------------------------------------- BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https. If a software update is not [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2021
by Daily end-of-shift report 27 May '21

27 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-05-2021 18:00 − Donnerstag 27-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Kriminelle fälschen „Grünen Pass“! ∗∗∗ --------------------------------------------- In Österreich wird bald der „Grüne Pass“ eingeführt, der den Zugang zu Gastronomie und körpernahen Dienstleistungen erleichtern soll. Dieser ist erst in der zweiten Juni-Woche verfügbar, doch Kriminelle verbreiten bereits jetzt eine „Variante“ des Grünen Passes. Wir gehen davon aus, dass dabei personenbezogene Daten abgegriffen werden. Wer die unseriöse App als gültigen Impf-, Test- oder Genesungsnachweis verwendet, könnte könnte sich außerdem strafbar machen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-faelschen-gruenen… ∗∗∗ Exploit veröffentlicht: Gefixte WebKit-Schwachstelle steht auf iPhones offen ∗∗∗ --------------------------------------------- Ein Patch im Open-Source-Unterbau aller iOS-Browser ist selbst nach Wochen noch nicht in Apples Betriebssysteme eingeflossen, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-6055716 ∗∗∗ BazaLoader Masquerades as Movie-Streaming Service ∗∗∗ --------------------------------------------- The website for “BravoMovies” features fake movie posters and a FAQ with a rigged Excel spreadsheet for “cancelling” the service, but all it downloads is malware. --------------------------------------------- https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/ ∗∗∗ “Unpatchable” vuln in Apple’s new Mac chip – what you need to know ∗∗∗ --------------------------------------------- Its all over the news! The bug you cant fix! Fortunately, you dont need to. We explain why. --------------------------------------------- https://nakedsecurity.sophos.com/2021/05/27/unpatchable-vuln-in-apples-new-… ∗∗∗ Analysis report of the Facefish rootkit ∗∗∗ --------------------------------------------- In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some China areas, we discovered there is literarily 0 hit for the C2 traffic. --------------------------------------------- https://blog.netlab.360.com/ssh_stealer_facefish_en/ ∗∗∗ All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th) ∗∗∗ --------------------------------------------- Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years - from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. --------------------------------------------- https://isc.sans.edu/diary/rss/27466 ∗∗∗ Saving Your Access ∗∗∗ --------------------------------------------- After revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. --------------------------------------------- https://posts.specterops.io/saving-your-access-d562bf5bf90b ∗∗∗ Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises ∗∗∗ --------------------------------------------- Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophist… ===================== = Vulnerabilities = ===================== ∗∗∗ HPE fixes critical zero-day vulnerability disclosed in December ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability disclosed last year, in December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-fixes-critical-zero-day-… ∗∗∗ Drupal: Update schließt Cross-Site-Scripting-Lücke in mehreren CMS-Versionen ∗∗∗ --------------------------------------------- Die Programmbibliothek CKEditor, die vom Drupal-Core verwendet wird, barg unter bestimmten Umständen Angriffsmöglichkeiten. Für Core & Library gibt es Updates. --------------------------------------------- https://heise.de/-6055672 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx). --------------------------------------------- https://lwn.net/Articles/857460/ ∗∗∗ Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say. --------------------------------------------- https://www.securityweek.com/vulnerabilities-visual-studio-code-extensions-… ∗∗∗ GENIVI Alliance DLT ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in GENIVI Alliance DLT-Daemon software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-01 ∗∗∗ Johnson Controls Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics VideoEdge surveillance systems. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-02 ∗∗∗ Siemens JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Out-of-bounds Read, and Stack-based Buffer Overflow vulnerabilities in Siemens JT2Go and Teamcenter Visualization products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-04 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric iQ-R Series CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-05 ∗∗∗ Internet Systems Consortium DHCP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0587 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050156 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050155 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-aff… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in IBM® Runtime Environment Java™ Technology Edition. (CVE-2020-14779) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2020-10733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2021
by Daily end-of-shift report 26 May '21

26 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-05-2021 18:00 − Mittwoch 26-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaspersky Security Bulletin 2020-2021. EU statistics ∗∗∗ --------------------------------------------- The statistics in this report cover the period from May 2020 to April 2021, inclusive. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/… ∗∗∗ Smart lighting security ∗∗∗ --------------------------------------------- RJ45 connections delivering Power over Ethernet are becoming prevalent in light fittings, a result of the lower power demands from LED fittings. This creates potential for uninformed installers to inadvertently bridge network security controls through connecting the light fittings to existing networking equipment. ... Radio protocols can also lead to compromise if not done securely; Bluetooth Classic, BLE, Z-Wave and many other protocols can be exploited if not configured correctly. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-lighting-security/ ∗∗∗ The Attack Path Management Manifesto ∗∗∗ --------------------------------------------- The primary goal of Attack Path Management (APM) is to directly solve the problem of Attack Paths. Today, the problem of Attack Paths is felt most acutely in the world of Microsoft Active Directory and Azure Active Directory. These platforms provide the greatest payoff for attackers, since taking control of the fundamental identity platform for an enterprise grants full control of all users, systems, and data in that enterprise --------------------------------------------- https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5 ∗∗∗ CVE-2021-22909- Digging into a Ubiquiti Firmware Update bug ∗∗∗ --------------------------------------------- Back In February, Ubiquiti released a new firmware update for the Ubiquiti EdgeRouter, fixing CVE-2021-22909/ZDI-21-601. The vulnerability lies in the firmware update procedure and allows a man-in-the-middle (MiTM) attacker to execute code as root on the device by serving a malicious firmware image when the system performs an automatic firmware update. ... The impact of this vulnerability is quite nuanced and worthy of further discussion. --------------------------------------------- https://www.thezdi.com/blog/2021/5/24/cve-2021-22909-digging-into-a-ubiquit… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ CVE-2020-14145 ∗∗∗ --------------------------------------------- A vulnerability in OpenSSH <= 8.6 allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. Using this information leak it is possible to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack. [...] At the moment, the only option to mitigate this vulnerability is to set HostKeyAlgorithms in your config file. --------------------------------------------- https://docs.ssh-mitm.at/CVE-2020-14145.html ∗∗∗ Sicherheitsupdates: Kritische Schadcode-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Die Servermanagementsoftware vCenter Server ist verwundbar. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6054003 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (djvulibre, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gupnp, hivex, lz4, matrix-synapse, prometheus, python-pydantic, runc, thunderbird, and websvn), Fedora (composer, moodle, and wordpress), Gentoo (bash, boost, busybox, containerd, curl, dnsmasq, ffmpeg, firejail, gnome-autoar, gptfdisk, icu, lcms, libX11, mariadb, mumble, mupdf, mutt, mysql, nettle, nextcloud-client, opensmtpd, openssh, openvpn, php, postgresql, prosody, rxvt-unicode, samba, screen, smarty, spamassassin, squid, stunnel, tar, tcpreplay, telegram-desktop), openSUSE (Botan), Red Hat (kernel), Slackware (gnutls), SUSE (hivex, libu2f-host, rubygem-actionpack-5_1), Ubuntu (apport, exiv2, libx11). --------------------------------------------- https://lwn.net/Articles/857352/ ∗∗∗ Cisco ADE-OS Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-119468: Luxion KeyShot Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-119468.txt ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Improper Licenses Management Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: Data protection rules and policies are not enforced on virtualized objects ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-protection-rules-and… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2021-20487 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-license-key-server-ad… ∗∗∗ Overview of NGINX vulnerabilities (May 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52559937?utm_source=f5support&utm_mediu… ∗∗∗ NGINX Plus and Open Source vulnerability CVE-2021-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12331123?utm_source=f5support&utm_mediu… ∗∗∗ Datakit Libraries bundled in Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 ∗∗∗ Rockwell Automation Micro800 and MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2021
by Daily end-of-shift report 25 May '21

25 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-05-2021 18:00 − Dienstag 25-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-… ∗∗∗ Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-6052749 ∗∗∗ Qnap sichert NAS spät gegen Qlocker-Attacken ab ∗∗∗ --------------------------------------------- Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches. --------------------------------------------- https://heise.de/-6052783 ∗∗∗ Evolution of JSWorm ransomware ∗∗∗ --------------------------------------------- There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm. --------------------------------------------- https://securelist.com/evolution-of-jsworm-ransomware/102428/ ∗∗∗ "Serverless" Phishing Campaign, (Sat, May 22nd) ∗∗∗ --------------------------------------------- The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code. --------------------------------------------- https://isc.sans.edu/diary/rss/27446 ∗∗∗ Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd) ∗∗∗ --------------------------------------------- Brad posted another malware analysis with capture file of Cobalt Strike traffic. --------------------------------------------- https://isc.sans.edu/diary/rss/27448 ∗∗∗ Web Applications and Internal Penetration Tests ∗∗∗ --------------------------------------------- Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applica… ∗∗∗ Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS --------------------------------------------- https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.ht… ∗∗∗ OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ∗∗∗ --------------------------------------------- Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit. --------------------------------------------- https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticat… ∗∗∗ DarkChronicles: the consequences of the Colonial Pipeline attack ∗∗∗ --------------------------------------------- This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-conseq… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ VU#667933: Pulse Connect Secure Samba buffer overflow ∗∗∗ --------------------------------------------- Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code. --------------------------------------------- https://kb.cert.org/vuls/id/667933 ∗∗∗ Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen. --------------------------------------------- https://heise.de/-6053146 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat). --------------------------------------------- https://lwn.net/Articles/857132/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby). --------------------------------------------- https://lwn.net/Articles/857212/ ∗∗∗ [20210503] - Core - CSRF in data download endpoints ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-… ∗∗∗ [20210502] - Core - CSRF in AJAX reordering endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-… ∗∗∗ [20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/852-20210501-core-adding-h… ∗∗∗ Pulse Secure VPNs Get Quick Fix for Critical RCE ∗∗∗ --------------------------------------------- https://threatpost.com/pulse-secure-vpns-critical-rce/166437/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ NGINX Controller vulnerability CVE-2021-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97002210 ∗∗∗ NGINX Controller vulnerability CVE-2021-23021 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36926027 ∗∗∗ NGINX Controller vulnerability CVE-2021-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45263486 ∗∗∗ SYSS-2021-010: Path Traversal in LANCOM R&S Unified Firewalls ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-010-path-traversal-in-lancom-rs-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2021
by Daily end-of-shift report 21 May '21

21 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-05-2021 18:00 − Freitag 21-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mail-Verschlüsselung: Thunderbird schlampte mit PGP-Schlüsseln ∗∗∗ --------------------------------------------- Die OpenPGP-Implementierung des Open-Source-Mailers Thunderbird speicherte die geheimen Schlüssel im Klartext. --------------------------------------------- https://heise.de/-6051767 ∗∗∗ QNAP confirms Qlocker ransomware used HBS backdoor account ∗∗∗ --------------------------------------------- QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-confirms-qlocker-ransom… ∗∗∗ Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st) ∗∗∗ --------------------------------------------- For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is to make our life more difficult (read: "frustrating"). There are plenty of techniques that can be implemented but it's an ever-ongoing process. --------------------------------------------- https://isc.sans.edu/diary/rss/27444 ∗∗∗ Double-Encrypting Ransomware ∗∗∗ --------------------------------------------- This seems to be a new tactic: Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything. --------------------------------------------- https://www.schneier.com/blog/archives/2021/05/double-encrypting-ransomware… ∗∗∗ 21nails: Reporting on Vulnerable SMTP/Exim Servers ∗∗∗ --------------------------------------------- We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner [...] --------------------------------------------- https://www.shadowserver.org/news/21nails-reporting-on-vulnerable-smtp-exim… ∗∗∗ Project Zero: Fuzzing iOS code on macOS at native speed ∗∗∗ --------------------------------------------- This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at… ∗∗∗ Microsoft Unveils SimuLand: Open Source Attack Techniques Simulator ∗∗∗ --------------------------------------------- Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. --------------------------------------------- https://www.securityweek.com/microsoft-unveils-simuland-open-source-attack-… ∗∗∗ Getting a persistent shell on a 747 IFE ∗∗∗ --------------------------------------------- TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/getting-a-persistent-shell-on… ∗∗∗ New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th) ∗∗∗ --------------------------------------------- [...] I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. --------------------------------------------- https://isc.sans.edu/diary/rss/27440 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Heap-based buffer overflow in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-hea… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine). --------------------------------------------- https://lwn.net/Articles/856902/ ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerabilitiy has been fixed in IBM Security Identity Manager Virtual Appliance(CVE-2019-17006) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilitiy… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by an Information disclosure vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which could allow access to sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2021
by Daily end-of-shift report 20 May '21

20 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-05-2021 18:00 − Donnerstag 20-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange bleibt Hauptangriffsziel in der Microsoft-Cloud ∗∗∗ --------------------------------------------- Vectra AI hat die zehn wichtigsten Bedrohungen in Azure AD und Office 365 aufgelistet. Exchange bleibt für Angreifer offenbar unverändert attraktiv. --------------------------------------------- https://heise.de/-6050650 ∗∗∗ Cisco bringt Security-Updates ∗∗∗ --------------------------------------------- Cisco hat einige Updates zu Sicherheitsprodukten angekündigt, darunter das Major Release 7.0 der Secure Firewall Threat Defense und die Integration von Snort 3. --------------------------------------------- https://heise.de/-6049957 ∗∗∗ Attacken auf Android: Jetzt patchen! Wenn es denn Sicherheitsupdates gibt ... ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Android-Geräte abgesehen. Patches gibt es aber in der Regel nur für aktuelle Smartphones und Tablets. --------------------------------------------- https://heise.de/-6050515 ∗∗∗ Fake-Shops: So erkennen Sie betrügerische Online-Shops! ∗∗∗ --------------------------------------------- Das Problem betrügerischer Online-Shops - besser bekannt als Fake-Shops - nimmt weiterhin zu. Damit Sie die unterschiedlichen Arten von Fake-Shops schnell erkennen, beschreiben wir im folgenden Artikel die gängigsten Formen und worauf bei diesen besonders aufzupassen ist. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-so-erkennen-sie-betrueger… ∗∗∗ Qlocker ransomware shuts down after extorting hundreds of QNAP users ∗∗∗ --------------------------------------------- The Qlocker ransomware gang has shut down their operation after earning $350,000 in a month by exploiting vulnerabilities in QNAP NAS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qlocker-ransomware-shuts-dow… ∗∗∗ Keksec Cybergang Debuts Simps Botnet for Gaming DDoS ∗∗∗ --------------------------------------------- The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities. --------------------------------------------- https://threatpost.com/keksec-simps-botnet-gaming-ddos/166306/ ∗∗∗ BazarCall: Call Centers Help Spread BazarLoader Malware ∗∗∗ --------------------------------------------- Call center operators offer to personally guide victims through a process designed to infect vulnerable computers with BazarLoader malware. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-malware/ ∗∗∗ Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/19/update-cisa-fbi-j… ∗∗∗ Misconfiguration of third party cloud services exposed data of over 100 million users ∗∗∗ --------------------------------------------- After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes. --------------------------------------------- https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-clou… ∗∗∗ Microsoft warns of malware campaign spreading a RAT masquerading as ransomware ∗∗∗ --------------------------------------------- The Microsoft security team has published details on Wednesday about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. --------------------------------------------- https://therecord.media/microsoft-warns-of-malware-campaign-spreading-a-rat… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-601: Ubiquiti Networks EdgeOS Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ubiquiti Networks EdgeOS on EdgeRouter X, EdgeRouter Pro X SFP, EdgeRouter 10X and EdgePoint 6-port routers. User interaction is required to exploit this vulnerability in that an administrator must perform a firmware update on the device. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-601/ ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in macOS SMB server ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable integer overflow vulnerability in Apple macOS’ SMB server that could lead to information disclosure. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-smb-information-d… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel). --------------------------------------------- https://lwn.net/Articles/856775/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/20/cisco-releases-se… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within libcurl (CVE-2020-8284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability in Node.js braces and netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager (CVE-2021-29687, CVE-2021-29688) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-014 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2021
by Daily end-of-shift report 19 May '21

19 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-05-2021 18:00 − Mittwoch 19-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MountLocker ransomware uses Windows API to worm through networks ∗∗∗ --------------------------------------------- The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-… ∗∗∗ Transparent Tribe APT Infrastructure Mapping ∗∗∗ --------------------------------------------- Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. --------------------------------------------- https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure… ∗∗∗ May 2021 Forensic Contest: Answers and Analysis, (Wed, May 19th) ∗∗∗ --------------------------------------------- You can still find the pcap for our May 2021 forensic contest at this Github repository. --------------------------------------------- https://isc.sans.edu/diary/rss/27430 ∗∗∗ When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar ∗∗∗ --------------------------------------------- The purpose behind this investigative anecdote on the “water watering hole” is educational and highlights how sometimes two intrusions just don’t line up together no matter how much coincidence there is. --------------------------------------------- https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/ ∗∗∗ Instagram-NutzerInnen aufgepasst: Unseriöse Shops locken mit angeblicher Kooperation! ∗∗∗ --------------------------------------------- Auf Instagram tauchen immer wieder unseriöse Online-Shops auf. Die BetreiberInnen dieser Shops wenden unterschiedliche Maschen an, um ihre Produkte zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nutzerinnen-aufgepasst-uns… ∗∗∗ Crypto-mining gangs are running amok on free cloud computing platforms ∗∗∗ --------------------------------------------- Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms. --------------------------------------------- https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Pega Infinity patches authentication vulnerability ∗∗∗ --------------------------------------------- Pega Infinity is a popular enterprise software and researchers found a flaw in the authentication process by using a password reset weakness. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/pega-inf… ∗∗∗ Over 600,000 Sites Impacted by WP Statistics Patch ∗∗∗ --------------------------------------------- On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-sta… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, and hivex), Red Hat (bash, bind, bluez, brotli, container-tools:rhel8, cpio, curl, dotnet3.1, dotnet5.0, dovecot, evolution, exiv2, freerdp, ghostscript, glibc, GNOME, go-toolset:rhel8, grafana, gssdp and gupnp, httpd:2.4, idm:DL1, idm:DL1 and idm:client, ipa, kernel, kernel-rt, krb5, libdb, libvncserver, libxml2, linux-firmware, mailman:2.1, mingw packages, NetworkManager and libnma, opensc, p11-kit, pandoc, perl, [...] --------------------------------------------- https://lwn.net/Articles/856649/ ∗∗∗ Researchers Find Exploitable Bugs in Mercedes-Benz Cars ∗∗∗ --------------------------------------------- Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution. --------------------------------------------- https://www.securityweek.com/researchers-find-exploitable-bugs-mercedes-ben… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei CloudEngine Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-client-side-http-paramete… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Access Control Security Vulnerability Exists in Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2020-4646) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-security-v… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerablities in IBM SDK, Java Technology Edition Quarterly. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablities-in-ibm-sdk… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Gdk-pixbuf vulnerability CVE-2017-2862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36984830 ∗∗∗ Linux kernel vulnerability CVE-2019-20811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52525232 ∗∗∗ BIND vulnerability CVE-2021-25215 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96223611 ∗∗∗ BIND vulnerability CVE-2021-25214 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11426315 ∗∗∗ BOSCH-SA-350374: Vulnerability in the routing protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-350374.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2021
by Daily end-of-shift report 18 May '21

18 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 17-05-2021 18:00 − Dienstag 18-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate steht noch aus: Root-Lücke in Pulse Connect Secure ∗∗∗ --------------------------------------------- Angreifer könnten VPN Appliances vom Typ Pulse Connect Secure attackieren. Bislang ist nur eine Übergangslösung zu Absicherung verfügbar. --------------------------------------------- https://heise.de/-6048342 ∗∗∗ Unternehmen erhalten gefälschtes Schreiben vom "WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe" ∗∗∗ --------------------------------------------- Zahlreiche UnternehmerInnen erhalten momentan einen Brief vom „WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe“ – angeblich eine Behörde zur Verwaltung von Firmendaten. Im Schreiben werden Sie aufgefordert, Ihre Daten zu überprüfen und ggf. zu korrigieren und zu ergänzen. Tun Sie das keinesfalls – es handelt sich um Betrug. Sie werden in eine Abo-Falle gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-erhalten-gefaelschtes-sc… ∗∗∗ Ransomware victim shows why transparency in attacks matters ∗∗∗ --------------------------------------------- As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a companys response to an attack that should be used as a model for all future disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-victim-shows-why-… ∗∗∗ Codecov hackers gained access to Monday.com source code ∗∗∗ --------------------------------------------- Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies. As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-hackers-gained-acces… ∗∗∗ DarkSide Hits Toshiba; XSS Forum Bans Ransomware ∗∗∗ --------------------------------------------- The criminal forum washed its hands of ransomware after DarkSides pipeline attack & alleged shutdown: A "loss of servers" that didnt stop another attack. --------------------------------------------- https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/ ∗∗∗ From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th) ∗∗∗ --------------------------------------------- I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27428 ∗∗∗ Exploitation of Sharepoint 2016: Simple Things Matter – Case Study ∗∗∗ --------------------------------------------- This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version 16.0.0.4681. I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018). At that point, I started looking for publicly known exploits and research papers. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploitatio… ∗∗∗ Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic ∗∗∗ --------------------------------------------- During a recent operation, the Red Team got local admin privileges on a workstation where an EDR solution was identified. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access. --------------------------------------------- https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-… ∗∗∗ Scammers Impersonating Windows Defender to Push Malicious Windows Apps ∗∗∗ --------------------------------------------- Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications […]The post Scammers Impersonating Windows Defender to Push Malicious --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating… ∗∗∗ CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Microsoft Internet Information Services (IIS) for Windows. The bug was originally discovered by the Microsoft Platform Security & Vulnerability Research team. The following is a portion of their write-up covering CVE-2021-31166, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execut… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-594: (0Day) Microsoft Windows JET Database Engine Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-594/ ∗∗∗ About the security content of Boot Camp 6.1.14 ∗∗∗ --------------------------------------------- Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved state management. --------------------------------------------- https://support.apple.com/en-us/HT212517 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre). --------------------------------------------- https://lwn.net/Articles/856496/ ∗∗∗ Emerson Rosemount X-STREAM ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, Unrestricted Upload of File with Dangerous Type, Path Traversal, Use of Persistent Cookies Containing Sensitive Information, Cross-site Scripting, and Improper Restriction of Rendered UI Layers or Frames vulnerabilities for the Rosemount X-STREAM Gas Analyzer. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0536 ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0533 ∗∗∗ KLCERT-20-021: Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-019: Moxa NPort IA5000A Series. Passwords stored in plaintext ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2021
by Daily end-of-shift report 17 May '21

17 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-05-2021 18:00 − Montag 17-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for wormable Windows HTTP vulnerability ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-wormabl… ∗∗∗ Bizarro banking Trojan expands its attacks to Europe ∗∗∗ --------------------------------------------- Bizarro is yet another banking Trojan family originating from Brazil that steals credentials from customers of 70 banks from different European and South American countries. --------------------------------------------- https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe… ∗∗∗ Ransomware Defenses, (Mon, May 17th) ∗∗∗ --------------------------------------------- Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27420 ∗∗∗ AHK RAT Loader Used in Unique Delivery Campaigns ∗∗∗ --------------------------------------------- The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language - a fork of the AutoIt language that is frequently used for testing purposes. --------------------------------------------- https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-camp… ∗∗∗ Take action now - FluBot malware may be on its way ∗∗∗ --------------------------------------------- Why FluBot is a major threat for Android users, how to avoid falling victim, and how to get rid of the malware if your device has already been compromised --------------------------------------------- https://www.welivesecurity.com/2021/05/17/take-action-now-flubot-malware-ma… ∗∗∗ Two attacks disclosed against AMD’s SEV virtual machine protection system ∗∗∗ --------------------------------------------- Chipmaker AMD has issued guidance this week for two attacks against its SEV (Secure Encrypted Virtualization) technology that protects virtual machines from rogue operating systems. The two attacks, documented in two academic papers, can allow a threat actor to inject malicious code inside SEV-encrypted virtual machines, giving them full control over the VMs operating system. --------------------------------------------- https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-mach… ===================== = Vulnerabilities = ===================== ∗∗∗ Beckhoff Security Advisory 2021-002: Stack Overflow and XXE vulnerability in various OPC UA products ∗∗∗ --------------------------------------------- The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via the OPC UA protocol. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ SSA-695540: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2 ∗∗∗ --------------------------------------------- Siemens has released version V13.1.0.2 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in ASM and PAR file formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-695540.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libimage-exiftool-perl and postgresql-9.6), Fedora (chromium, exiv2, firefox, kernel, kernel-headers, kernel-tools, mariadb, and python-impacket), Mageia (avahi), openSUSE (chromium, drbd-utils, dtc, ipvsadm, jhead, nagios, netdata, openvpn, opera, prosody, and virtualbox), Slackware (libxml2), SUSE (kernel and lz4), and Ubuntu (intel-microcode, python-eventlet, and rust-pleaser). --------------------------------------------- https://lwn.net/Articles/856437/ ∗∗∗ Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Guava Google Core Libraries Vulnerability Affects IBM Control Center (CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-guava-google-core-librari… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is affected by an Information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-dataformat ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Apache Ant Vulnerabilities Affect IBM Control Center (CVE-2020-1945, CVE-2020-11979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-ant-vulnerabilitie… ∗∗∗ Security Bulletin: Multiple CKEditor Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ckeditor-vulnera… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Python (CVE-2020-15801) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-h2-database-vulnerabiliti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2021
by Daily end-of-shift report 14 May '21

14 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-05-2021 18:00 − Freitag 14-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Kritische Lücke bedroht WordPress 3.7 bis 5.7 ∗∗∗ --------------------------------------------- Viele WordPress-Websites sind verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6045823 ∗∗∗ DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized ∗∗∗ --------------------------------------------- The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained funds from an account the group uses to pay affiliates. --------------------------------------------- https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-se… ∗∗∗ Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity ∗∗∗ --------------------------------------------- This skimmer is using a hybrid approach to bypass detection and target vulnerable e-commerce websites. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-s… ∗∗∗ „Hier ist die letzte Warnung!“: Erpresser fordern Bitcoins ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit massenweise Erpressungsmails. Darin wird behauptet, dass das System der EmpfängerInnen gehackt wurde. Außerdem gäbe es ein Video, in dem ersichtlich wird, dass die betroffene Person einen Pornofilm sähe und dabei masturbiert. Die Kriminellen drohen, dieses Video zu veröffentlichen - außer man bezahlt 1.200$. Gehen Sie auf die Forderungen nicht ein, denn: Die Mails werden willkürlich an zahlreiche Menschen versendet. --------------------------------------------- https://www.watchlist-internet.at/news/hier-ist-die-letzte-warnung-erpresse… ∗∗∗ CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments. Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/14/cisa-publishes-ev… ∗∗∗ Microsoft: Windows 10 1809 and 1909 have reached end of service ∗∗∗ --------------------------------------------- Multiple editions of Windows 10 versions 1803, 1809, and 1909 have reached their End of Service (EOS) on this months Patch Tuesday, as Microsoft reminded customers yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-1809-a… ∗∗∗ Meet Lorenz - A new ransomware gang targeting the enterprise ∗∗∗ --------------------------------------------- A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware… ∗∗∗ Attackers abuse Microsoft dev tool to deploy Windows malware ∗∗∗ --------------------------------------------- Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-abuse-microsoft-de… ∗∗∗ QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day ∗∗∗ --------------------------------------------- QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage (NAS) devices, just two weeks after alerting them of an ongoing AgeLocker ransomware outbreak. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ranso… ∗∗∗ Fresh Loader Targets Aviation Victims with Spy RATs ∗∗∗ --------------------------------------------- The campaign is harvesting screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and more, with RevengeRAT or AsyncRAT payloads. --------------------------------------------- https://threatpost.com/loader-aviation-spy-rats/166133/ ∗∗∗ "Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th) ∗∗∗ --------------------------------------------- Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as said Jan, there is another issue with such infrastructures: remote access tools. --------------------------------------------- https://isc.sans.edu/diary/rss/27418 ∗∗∗ Server Side Scans and File Integrity Monitoring ∗∗∗ --------------------------------------------- When it comes to the ABCs of website security server side scans and file integrity monitoring are the “A” and “B”. In fact, our server side scanner is one of the most crucial tools in Sucuri’s arsenal. It’s paramount in maintaining an effective security product for our customers and analysts alike. This crucial tool handles tasks like issuing security warnings and alerts to our clients, notifying them that they have been compromised, and assisting our [...] --------------------------------------------- https://blog.sucuri.net/2021/05/server-side-scans-and-file-integrity-monito… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability was discovered under Pulse Connect Secure (PCS). This includes buffer overflow vulnerability on the Pulse Connect Secure gateway that allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800 ∗∗∗ Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Hosted Collaboration Mediation Fulfillment Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Java Management Extensions (JMX) component of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an unsecured TCP/IP port. An attacker could exploit this vulnerability by accessing the port and restarting the JMX process. A successful exploit could allow the attacker to cause a DoS condition on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Critical Vulnerability Patched in External Media Plugin ∗∗∗ --------------------------------------------- On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote [...] --------------------------------------------- https://www.wordfence.com/blog/2021/05/critical-vulnerability-patched-in-ex… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphviz and redmine), Fedora (dom4j, kernel, kernel-headers, kernel-tools, mariadb, php, php-phpmailer6, and redis), openSUSE (kernel and nagios), and Ubuntu (mysql-5.7, mysql-8.0 and python-django). --------------------------------------------- https://lwn.net/Articles/856177/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libgetdata, and postgresql-11), openSUSE (java-11-openjdk), SUSE (dtc, ibsim, ibutils, ipvsadm, and kernel), and Ubuntu (awstats and glibc). --------------------------------------------- https://lwn.net/Articles/856265/ ∗∗∗ Rockwell Automation Connected Components Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for Deserialization of Untrusted Data, Path Traversal, and Improper Input Validation vulnerabilities in Rockwell Automation Connected Components Workbench software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-01 ∗∗∗ Johnson Controls Sensormatic Tyco AI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics (a subsidiary of Johnson Controls) Tyco AI products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-02 ∗∗∗ OPC Foundation UA Products Built with .NET Framework ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in OPC Foundation servers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03 ∗∗∗ OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Unified Automation .NET based OPC UA Client/Server SDK Bundle Framework versions. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04 ∗∗∗ mod_auth_openidc vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN49704918/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0521 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0528 ∗∗∗ ILIAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0526 ∗∗∗ git: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0524 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2021
by Daily end-of-shift report 12 May '21

12 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-05-2021 18:00 − Mittwoch 12-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th) ∗∗∗ --------------------------------------------- With the recent ransomware attack that impacted operation of one of the major US pipelines, I thought it might be a good time to revisit the old topic of internet-connected industrial systems. --------------------------------------------- https://isc.sans.edu/diary/rss/27412 ∗∗∗ Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks ∗∗∗ --------------------------------------------- Three design and multiple implementation flaws have been disclosed in IEEE 802.11 technical standard that undergirds Wi-Fi, potentially enabling an adversary to take control over a system and plunder confidential data. --------------------------------------------- https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.ht… ∗∗∗ Shining a Light on DARKSIDE Ransomware Operations ∗∗∗ --------------------------------------------- Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-dar… ∗∗∗ Lebenslauf-Erstellung auf cvmaker.de führt zu Abo-Vertrag! ∗∗∗ --------------------------------------------- Sie sind auf Arbeitssuche und wollen einen professionellen Lebenslauf erstellen? Die Suche danach könnte Sie auf die Seite cvmaker.de führen. Dort können Sie schnell und unkompliziert den benötigten Lebenslauf erstellen und das für nur 2,95 Euro. Aber Achtung: Sieben Tage nachdem Sie bezahlt haben, schließen Sie automatisch ein Abo ab. --------------------------------------------- https://www.watchlist-internet.at/news/lebenslauf-erstellung-auf-cvmakerde-… ∗∗∗ „Ihre Lieferung befindet sich in unserem Zollzentrum“: Vorsicht vor betrügerischer SMS! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen der Watchlist Internet melden uns derzeit eine betrügerische SMS, die die EmpfängerInnen in eine Abo-Falle locken soll. Darin wird behauptet, dass sich eine Lieferung im Zollzentrum befindet und Importgebühren bezahlt werden müssen. --------------------------------------------- https://www.watchlist-internet.at/news/ihre-lieferung-befindet-sich-in-unse… ∗∗∗ Conti Ransomware ∗∗∗ --------------------------------------------- First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. --------------------------------------------- https://thedfirreport.com/2021/05/12/conti-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Send My: Arbitrary data transmission via Apples Find My network ∗∗∗ --------------------------------------------- Its possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices that then upload the data for you. --------------------------------------------- https://positive.security/blog/send-my ∗∗∗ Microsoft-Patchday: Windows-Trojaner könnte sich wurmartig auf PCs verbreiten ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Windows & Co. Mehrere Lücken sind bereits öffentlich bekannt. Attacken gibt es wohl noch nicht. --------------------------------------------- https://heise.de/-6044412 ∗∗∗ Adobe-Patchday: Attacken auf Adobe Acrobat und Reader ∗∗∗ --------------------------------------------- Adobe hat Sicherheitsupdates für verschiedene Anwendungen veröffentlicht. Vor allem Nutzer von Acrobat und Reader sollten die Patches zügig installieren. --------------------------------------------- https://heise.de/-6044528 ∗∗∗ SAP-Patchday: Angreifer könnten Daten von SAP-Software leaken ∗∗∗ --------------------------------------------- SAP hat Sicherheitsupdates für unter anderem Business One und NetWeaver AS ABAP veröffentlicht. --------------------------------------------- https://heise.de/-6044570 ∗∗∗ WLAN-Sicherheitslücken FragAttacks: Erste Updates ∗∗∗ --------------------------------------------- Für Windows, Linux, Router und WLAN-Adapter es bereits Patches oder zumindest Hinweise zum Schutz gegen die WLAN-Schwachstellen "FragAttacks". --------------------------------------------- https://heise.de/-6045116 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer, hivex, lz4, and rails), Fedora (chromium, community-mysql, djvulibre, dom4j, firefox, php, php-phpmailer6, python-django, and redis), Mageia (mariadb, nagios, and pngcheck), openSUSE (opera, syncthing, and vlc), SUSE (kernel, openvpn, openvpn-openssl1, shim, and xen), and Ubuntu (flatpak, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4,[...] --------------------------------------------- https://lwn.net/Articles/856086/ ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for RedHat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: A security vulnerability in Node.js glob-parent module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js Lodash module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Ansible affect IBM Cloud Pak for Multicloud Management Hybrid GRC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ May 10, 2021 TNS-2021-09 [R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-09 ∗∗∗ Synology-SA-21:20 FragAttacks ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_20 ∗∗∗ BlackBerry Workspaces Server: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0503 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0510 ∗∗∗ BlackBerry UEM Management Console: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0517 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0515 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-01 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-02 ∗∗∗ Siemens Mendix Database Replication Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-05 ∗∗∗ Siemens Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-08 ∗∗∗ SA44790 - HTTP Request Smuggling vulnerability with Virtual Traffic Manager (vTM) ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44790 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2021
by Daily end-of-shift report 11 May '21

11 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 10-05-2021 18:00 − Dienstag 11-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI aktualisiert den Mindeststandard zur Verwendung von Transport Layer Security (TLS) ∗∗∗ --------------------------------------------- Die neue Version 2.2 des Mindeststandards berücksichtigt die aktuellen Empfehlungen der technischen Richtlinien des BSI (TR 02102-2, TR 03116-4) und thematisiert den Umgang mit TLS-Protokoll-Versionen und kryptografischen Verfahren, die nicht den Vorgaben des Mindeststandards entsprechen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Gefälschtes E-Mail der bank99 im Umlauf ∗∗∗ --------------------------------------------- Ihr bank99-Konto wurde angeblich gesperrt, weil Sie Ihre Identität nicht bestätigt haben? Vorsicht, diese Kundenmitteilung ist gefälscht. Kriminelle fälschen bank99-E-Mails, um an Ihre Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den "Vorgang starten"-Link. Sie werden auf eine nachgebaute Login-Website geleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-der-bank99-im-um… ∗∗∗ US and Australia warn of escalating Avaddon ransomware attacks ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-australia-warn-of-esc… ∗∗∗ TeaBot: a new Android malware emerged in Italy, targets banks in Europe ∗∗∗ --------------------------------------------- [...] At the beginning of January 2021, a new Android banker started appearing and it was discovered and analysed by our Threat Intelligence and Incident Response (TIR) team. Since lack of information and the absence of a proper nomenclature of this Android banker family, we decide to dub it as TeaBot to better track this family inside our internal Threat Intelligence taxonomy. --------------------------------------------- https://www.cleafy.com/documents/teabot ∗∗∗ Beware of Applications Misusing Root Stores ∗∗∗ --------------------------------------------- We have been alerted about applications that use the root store provided by Mozilla for purposes other than what Mozilla’s root store is curated for. [...] Applications that use Mozilla’s root store for a purpose other than that have a critical security vulnerability. --------------------------------------------- https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusin… ∗∗∗ DarkSide Malware Profile ∗∗∗ --------------------------------------------- The following report provides X-Force Threat Intelligences analysis of the DarkSide ransomware family based on publicly available samples. Summary: DarkSide, like other ransomware used in targeted attacks, encrypts user data in compromised computers. Recent variants of DarkSide ransomware enumerates various system properties of the victim and beacons them in an encoded POST request to its C2 address. DarkSide also executes an encoded PowerShell command to delete volume shadow copies. It deletes [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/06d0917405c36ca91f5db1fe0c0… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hivex), Fedora (djvulibre and thunderbird), openSUSE (monitoring-plugins-smart and perl-Image-ExifTool), Oracle (kernel and kernel-container), Red Hat (kernel and kpatch-patch), SUSE (drbd-utils, java-11-openjdk, and python3), and Ubuntu (exiv2, firefox, libxstream-java, and pyyaml). --------------------------------------------- https://lwn.net/Articles/855995/ ∗∗∗ Synology-SA-21:19 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_19 ∗∗∗ Citrix Workspace App Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified that could result in a local user escalating their privilege level to SYSTEM on the computer running Citrix Workspace app for Windows. --------------------------------------------- https://support.citrix.com/article/CTX307794 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/google-releases-s… ∗∗∗ Reflected XSS Vulnerability in SIS Infromatik - Rewe Go ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infrom… ∗∗∗ SAP Patchday Mai ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0496 ∗∗∗ 2020-10Password Change Authentication Bypass Vulnerability in HiOS & HiSecOS ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=12914&mediaformat… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed an information disclosure vulnerability (CVE-2020-4536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a cross-site scripting vulnerability (CVE-2020-4535) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ SSA-854248: Information Disclosure Vulnerability in Mendix Excel Importer Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-854248.txt ∗∗∗ SSA-752103: Telnet Authentication Vulnerability in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-752103.txt ∗∗∗ SSA-723417: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-723417.txt ∗∗∗ SSA-678983: Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-678983.txt ∗∗∗ SSA-676775: Denial-of-Service Vulnerability in SIMATIC NET CP 343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-676775.txt ∗∗∗ SSA-594364: Denial-of-Service Vulnerability in SNMP Implementation of WinCC Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594364.txt ∗∗∗ SSA-501073: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-501073.txt ∗∗∗ SSA-324955: SAD DNS Attack in Linux Based Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-324955.txt ∗∗∗ SSA-286838: Multiple Vulnerabilities in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-286838.txt ∗∗∗ SSA-116379: Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-116379.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2021
by Daily end-of-shift report 10 May '21

10 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-05-2021 18:00 − Montag 10-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th) ∗∗∗ --------------------------------------------- Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets. --------------------------------------------- https://isc.sans.edu/diary/rss/27404 ∗∗∗ Manipulierte Entwicklungsumgebung: Xcode-Malware war enorm verbreitet ∗∗∗ --------------------------------------------- Im Verfahren Epic gegen Apple kam heraus, dass 2015 fast 130 Millionen iPhone-Nutzer von "XcodeGhost" betroffen waren – in über 2500 Apps. --------------------------------------------- https://heise.de/-6041836 ∗∗∗ Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs ∗∗∗ --------------------------------------------- Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns. Lemon Duck remains relevant as the operators begin to target [...] --------------------------------------------- https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html ∗∗∗ Banking‑Trojaner Ousaban analysiert ∗∗∗ --------------------------------------------- In unserer Serie zu lateinamerikanischen Banking-Trojanern betrachten wir einen Vertreter mit komplexen Vertriebsweg --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/05/07/banking-trojaner-ousaban-… ∗∗∗ Colonial Pipeline Falls Victim to Attack ∗∗∗ --------------------------------------------- Summary A top U.S. fuel pipeline company has suffered a cyber attack that has forced them to halt operations. Several news sources and the company itself have confirmed the attack. Threat Type Cyber Attack Overview ** Update May 10 - 8:50 AM** The most recent reporting indicates that the attack likely involved DarkSide, a ransomware-as-a-service (RaaS) affiliate operation. DarkSide posted the following statement to their leak site following the attack: We are apolitical, we do not participate in [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/cc757925ae0fdf1689518a35128… ∗∗∗ SolarWinds says fewer than 100 customers were impacted by supply chain attack ∗∗∗ --------------------------------------------- Texas-based software firm SolarWinds downgraded the number of customers impacted by its 2020 supply chain attack from 18,000 to less than 100. --------------------------------------------- https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impac… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit Reader bug lets attackers run malicious code via PDFs ∗∗∗ --------------------------------------------- Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attack… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml2), Fedora (autotrace, babel, kernel, libopenmpt, libxml2, mingw-exiv2, mingw-OpenEXR, mingw-openexr, python-markdown2, and samba), openSUSE (alpine, avahi, libxml2, p7zip, redis, syncthing, and vlc), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/855909/ ∗∗∗ Linux kernel vulnerability CVE-2020-1749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02186513 ∗∗∗ Security Bulletin: IBM CloudPak foundational services (Events Operator) is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloudpak-foundational… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to CVE-2021-20538 and CVE-2021-20577 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js urijs module affects IBM Cloud Pak for Multicloud Management Infrastructure management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability (CVE-2021-20559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-control-desk-is-vulne… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Codec ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily