- Daily - CERT.at

Tageszusammenfassung - 06.08.2021
by Daily end-of-shift report 06 Aug '21

06 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-08-2021 18:00 − Freitag 06-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Linux version of BlackMatter ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMwares ESXi virtual machine platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter… ∗∗∗ Lockbit 2.0: Ransomware will Firmen-Insider rekrutieren ∗∗∗ --------------------------------------------- Die Ransomware-Gruppe Lockbit sucht auf ungewöhnliche Weise nach Insidern, die ihr Zugangsdaten übermitteln sollen. --------------------------------------------- https://www.golem.de/news/lockbit-2-0-ransomware-will-firmen-insider-rekrut… ∗∗∗ Malicious Microsoft Word Remains A Key Infection Vector, (Fri, Aug 6th) ∗∗∗ --------------------------------------------- Despite Microsoft's attempts to make its Office suite more secure and disable many automatic features, despite the fact that users are warned that suspicious documents should not be opened, malicious Word documents remain a key infection vector today. --------------------------------------------- https://isc.sans.edu/diary/rss/27716 ∗∗∗ Using “Master Faces” to Bypass Face-Recognition Authenticating Systems ∗∗∗ --------------------------------------------- A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information. --------------------------------------------- https://www.schneier.com/blog/archives/2021/08/using-master-faces-to-bypass… ∗∗∗ EU officials investigating breach of Cybersecurity Atlas project ∗∗∗ --------------------------------------------- The European Commission is investigating a breach of its Cybersecurity Atlas project after a copy of the site’s backend database was put up for sale on an underground cybercrime forum on Monday. --------------------------------------------- https://therecord.media/eu-officials-investigating-breach-of-cybersecurity-… ∗∗∗ Security-Oscars: And the Pwnie goes to … ∗∗∗ --------------------------------------------- Der Pandemie zum Trotz hat die Pwnie-Jury auch in diesem Jahr die Security-Oscars verliehen – und natürlich auch "Goldene Himbeeren". --------------------------------------------- https://heise.de/-6157581 ∗∗∗ What is Tor? ∗∗∗ --------------------------------------------- We give a brief overview of Tor, the secure communications tool. We explain what it is, how you can use it, and some of the potential drawbacks. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/08/what-is-tor/ ∗∗∗ Black Hat: How cybersecurity incidents can become a legal minefield ∗∗∗ --------------------------------------------- Facing a cyberattack? Pick up the phone and talk to legal help as well as incident response. --------------------------------------------- https://www.zdnet.com/article/black-hat-how-cybersecurity-can-be-a-legal-mi… ∗∗∗ Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals ∗∗∗ --------------------------------------------- A disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company and then exfiltrate its data before encrypting files. --------------------------------------------- https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-ga… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#357312: HTTP Request Smuggling in Web Proxies ∗∗∗ --------------------------------------------- HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling. --------------------------------------------- https://kb.cert.org/vuls/id/357312 ∗∗∗ Kindle: Mit Schadcode infizierte E-Books konnten Amazon-Account kapern ∗∗∗ --------------------------------------------- Mit infizierten E-Books konnten Sicherheitsforscher Kindle-Reader und sogar Amazon-Konten übernehmen. Amazon hat die Lücke mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6157512 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Mageia (bluez, exiv2, fetchmail, libsndfile, nodejs, php-pear, python-pillow, and rabbitmq-server), openSUSE (apache-commons-compress, balsa, djvulibre, mariadb, mysql-connector-java, nodejs8, opera, and spice-vdagent), Red Hat (ruby:2.7), SUSE (apache-commons-compress, djvulibre, java-11-openjdk, libsndfile, mariadb, nodejs8, and spice-vdagent), and Ubuntu (docker.io). --------------------------------------------- https://lwn.net/Articles/865465/ ∗∗∗ Black Hat: BadAlloc bugs expose millions of IoT devices to hijack ∗∗∗ --------------------------------------------- BadAlloc vulnerabilities impact millions of devices worldwide. --------------------------------------------- https://www.zdnet.com/article/black-hat-badalloc-bugs-expose-millions-of-io… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Free Micropatches for "PetitPotam" ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html ∗∗∗ HCC Embedded InterNiche TCP/IP stack, NicheLite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-01 ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-03 ∗∗∗ Advantech WebAccess SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 ∗∗∗ CISA Releases Security Advisory for InterNiche Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2021
by Daily end-of-shift report 05 Aug '21

05 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-08-2021 18:00 − Donnerstag 05-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware: Unternehmen beklagen immense Schäden durch Cyberangriffe ∗∗∗ --------------------------------------------- Die Angriffe mit Ransomware nehmen massiv zu, zeigt nun auch der Bitkom-Verband. Auch das Homeoffice wird sicherheitskritisch. --------------------------------------------- https://www.golem.de/news/ransomware-unternehmen-beklagen-immense-schaeden-… ∗∗∗ Cisco beseitigt kritische Schwachstellen aus Small Business-Routern der RV-Serie ∗∗∗ --------------------------------------------- Jetzt updaten: Remote Code Execution und Denial-of-Service wären mögliche Angriffskonsequenzen. Auch für weitere Cisco-Produkte sind wichtige Updates verfügbar. --------------------------------------------- https://heise.de/-6155856 ∗∗∗ Sicherheitsforscher entdecken Schwachstellen in Industriekontrollsystemen von Mitsubishi ∗∗∗ --------------------------------------------- Die Patches sind bereits in Arbeit, aber noch nicht erhältlich. Grund dafür ist ein aufwändiges Zertifizierungsverfahren. Möglicherweise sind auch Produkte anderer Hersteller betroffen. --------------------------------------------- https://www.zdnet.de/88396132/sicherheitsforscher-entdecken-schwachstellen-… ∗∗∗ Black Hat USA 2021: Security Advisories – mehr Durchblick dank Automatisierung ∗∗∗ --------------------------------------------- Uneinheitliche Advisory-Formate kosten wertvolle Zeit. Und wie beschreibt man eigentlich eine "Nicht-Verwundbarkeit"? CSAF und VEX sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6155594 ∗∗∗ Microsoft Teams korrekt absichern ∗∗∗ --------------------------------------------- Microsoft Teams ist beliebt, gerät aber immer stärker ins Visier von Hackern. Wie Sie den Schutz der Kollaborations-Software am besten bewerkstelligen, schildert Bert Skorupski, Senior Manager Sales Engineering bei Quest Software, im ersten Teil eines zweiteiligen Gastbeitrages. --------------------------------------------- https://www.zdnet.de/88396112/microsoft-teams-korrekt-absichern/ ∗∗∗ Vorsicht vor mykundenservice.com: Hohe Telefonrechnung droht! ∗∗∗ --------------------------------------------- Während die meisten Unternehmen Kontakttelefonnummern offen kommunizieren, tun dies andere nicht. Da wäre eine Sammlung von Kontaktnummern durchaus hilfreich. Auf mykundenservice.com verspricht man zwar eine solche Sammlung, doch eigentlich lockt man zum Anruf einer 0900-Nummer. Achtung: Hier entstehen hohe Kosten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-mykundenservicecom-hohe… ∗∗∗ How to Protect against EMOTET - "The World’s Most Dangerous Malware" ∗∗∗ --------------------------------------------- In the summer of 2020, malware infections were on a clear rise. Many new variants were appearing, and enterprises, government agencies, business leaders, and public officials were all voicing concern. Yet, seven years after it was first discovered, the spread of the EMOTET malware was arguably most concerning of all. --------------------------------------------- https://www.beyondtrust.com/blog/entry/how-to-protect-against-emotet-the-wo… ∗∗∗ Windows admins now can block external devices via layered Group Policy ∗∗∗ --------------------------------------------- Microsoft has added support for layered Group Policies, which allow IT admins to control what internal or external devices users can be installed on corporate endpoints across their organizations network. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-admins-now-can-bloc… ∗∗∗ MacOS Flaw in Telegram Retrieves Deleted Messages ∗∗∗ --------------------------------------------- Telegram declined to fix a scenario in which the flaw can be exploited, spurring a Trustwave researcher to decline a bug bounty and to disclose his findings instead. --------------------------------------------- https://threatpost.com/macos-flaw-in-telegram-retrieves-deleted-messages/16… ∗∗∗ Examining Unique Magento Backdoors ∗∗∗ --------------------------------------------- During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection. --------------------------------------------- https://blog.sucuri.net/2021/08/examining-unique-magento-backdoors.html ∗∗∗ Microsoft Patched the Issue With Windows Containers That Enabled Siloscape ∗∗∗ --------------------------------------------- Microsoft recently added additional security checks that address the Windows container escape that enabled Siloscape. --------------------------------------------- https://unit42.paloaltonetworks.com/windows-container-escape-patch/ ∗∗∗ Meet Prometheus, the secret TDS behind some of today’s malware campaigns ∗∗∗ --------------------------------------------- A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using a network of hacked websites. --------------------------------------------- https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-today… ∗∗∗ Pegasus Spyware: How It Works and What It Collects ∗∗∗ --------------------------------------------- An NSO document leaked to the internet reveals how the Pegasus spyware - sold to intelligence and law enforcement agencies around the world - can be used to spy on targeted mobile phones. --------------------------------------------- https://zetter.substack.com/p/pegasus-spyware-how-it-works-and ∗∗∗ From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator ∗∗∗ --------------------------------------------- Knock knock, who’s there? Your new DA! Several vulnerabilities that have been recently disclosed, namely: MS-EFSRPC – AKA PetitPotam Credential Relaying abusing the AD CS role Any attacker with internal network access, such as a phished client or a malicious planted device in the network, can take over the entire Active Directory domain without any [...] --------------------------------------------- https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2021-08-04 ∗∗∗ --------------------------------------------- 1 critical, 4 high, 2 medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ SA44858 - 9.1R12 Security Fixes ∗∗∗ --------------------------------------------- [...] Fixes for all the CVEs listed above have been included in the latest version of PCS, 9.1R12, which was released on 2 August 2021. We strongly encourage you to upgrade to ensure your organization is protected. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858 ∗∗∗ VMSA-2021-0016 ∗∗∗ --------------------------------------------- VMware Workspace One Access, Identity Manager and vRealize Automation address multiple vulnerabilities (CVE-2021-22002, CVE-2021-22003) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0016.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9 and openexr), openSUSE (mariadb and virtualbox), Red Hat (go-toolset-1.15 and go-toolset-1.15-golang), SUSE (djvulibre and mariadb), and Ubuntu (opencryptoki). --------------------------------------------- https://lwn.net/Articles/865306/ ∗∗∗ Amazon and Google patch major bug in their DNS-as-a-Service platforms ∗∗∗ --------------------------------------------- At the Black Hat security conference today, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platforms nodes, intercept some of the incoming DNS traffic, and then map customers internal networks. --------------------------------------------- https://therecord.media/amazon-and-google-patch-major-bug-in-their-dns-as-a… ∗∗∗ IBM Security Bulletins 2021-08-04 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ BIG-IP LTM HTTP/2 desync attacks: malicious CRLF placement security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97045220 ∗∗∗ BIG-IP LTM HTTP/2 desync attacks: request line injection ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63312282 ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0832 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2021
by Daily end-of-shift report 04 Aug '21

04 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-08-2021 18:00 − Mittwoch 04-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Cobalt Strike bugs allow takedown of attackers’ servers ∗∗∗ --------------------------------------------- Security researchers have discovered Cobalt Strike denial of service (DoS) vulnerabilities that allow blocking beacon command-and-control (C2) communication channels and new deployments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cobalt-strike-bugs-allow… ∗∗∗ Phishing Campaign Dangles SharePoint File-Shares ∗∗∗ --------------------------------------------- Attackers spoof sender addresses to appear legitimate in a crafty campaign that can slip past numerous detections, Microsoft researchers have discovered. --------------------------------------------- https://threatpost.com/phishing-sharepoint-file-shares/168356/ ∗∗∗ Three Problems with Two Factor Authentication, (Tue, Aug 3rd) ∗∗∗ --------------------------------------------- Usability remains a challenge for two-factor authentication. I recently came across a review of a healthcare-related mobile app, and a one-star review complained about how unusable the application is due to its two-factor requirement. --------------------------------------------- https://isc.sans.edu/diary/rss/27704 ∗∗∗ Pivoting and Hunting for Shenanigans from a Reported Phishing Domain, (Wed, Aug 4th) ∗∗∗ --------------------------------------------- I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institutions actual page and had input fields for victims to input their credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/27710 ∗∗∗ SAML is insecure by design ∗∗∗ --------------------------------------------- SAML uses signatures based on computed values. The practice is inherently insecure and thus SAML as a design is insecure. --------------------------------------------- https://joonas.fi/2021/08/saml-is-insecure-by-design/ ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a use-after-free vulnerability in a specific function of tinyobjloader. --------------------------------------------- https://blog.talosintelligence.com/2021/08/vuln-spotlight-.html ∗∗∗ Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure ∗∗∗ --------------------------------------------- Programmable Logic Controllers (PLC) and Safety Instrumented Systems (SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting. --------------------------------------------- https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitorin… ∗∗∗ OpSec Leaky Images ∗∗∗ --------------------------------------------- Hackers love your marketing department. Fact! Your marketing department love telling the world what happens in your company, then they attach images to the posts, often of staff at work. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-leaky-images/ ∗∗∗ Achtung Scheckbetrug: Restaurant-BesitzerInnen erhalten betrügerische Reservierungsanfragen! ∗∗∗ --------------------------------------------- BetrügerInnen versuchen mit vermeintlichen Reservierungen an das Geld von Restaurant-BesitzerInnen zu kommen: Wenn ein vermeintlicher Gast aus dem Ausland für eine größere Gruppe reservieren und das Geld vorab per Scheck bezahlen will, gilt es vorsichtig zu sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-scheckbetrug-restaurant-besi… ∗∗∗ IntelMQ 3.0 - Configuration, Domain based workflow, IEPs ∗∗∗ --------------------------------------------- We are happy to announce the completion of the IntelMQ 3.0 milestone. --------------------------------------------- https://cert.at/en/blog/2021/8/intelmq-30-domain-based-workflow-ieps ∗∗∗ Shodan Verified Vulns 2021-08-01 ∗∗∗ --------------------------------------------- Schwachstellen machen leider keine Pause im Sommer und entsprechend haben wir auch diesen Monat wieder einen Blick auf jene geworfen, die Shodan in Österreich sieht. --------------------------------------------- https://cert.at/de/aktuelles/2021/8/shodan-verified-vulns-2021-08-01 ===================== = Vulnerabilities = ===================== ∗∗∗ INFRA:HALT: Neue Schwachstellen im TCP/IP-Stack von Industriegeräten entdeckt ∗∗∗ --------------------------------------------- Das Forscherteam um "Amnesia:33", "Number:Jack" und Co. hat weitere Schwachstellen gefunden – diesmal im "NicheStack" für den Bereich Operational Technology. --------------------------------------------- https://heise.de/-6154631 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, libpam-tacplus, and wordpress), Fedora (buildah and podman), openSUSE (thunderbird and webkit2gtk3), Oracle (kernel and varnish:6), SUSE (kernel, kvm, and webkit2gtk3), and Ubuntu (libdbi-perl and php-pear). --------------------------------------------- https://lwn.net/Articles/865192/ ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons IO may affect Cúram Social Program Management (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Vulnerability in Dojo may affect Cúram Social Program Management (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may… ∗∗∗ Security Bulletin: IBM API Connect is impacted by reflected cross site scripting (CVE-2020-4707) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ PHOENIX CONTACT : Products utilizing WIBU SYSTEMS CodeMeter components in versions prior to V7.21a ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-036 ∗∗∗ PHOENIX CONTACT : DoS for PLCnext Control devices in versions prior to 2021.0.5 LTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-029 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0830 ∗∗∗ Cross Site Request Forgery (CSRF) vulnerability in Bosch IP cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-033305-bt.html ∗∗∗ SYSS-2021-042: Tiny Java Web Server and Servlet Container (TJWS) – Reflected Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-042-tiny-java-web-server-and-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2021
by Daily end-of-shift report 03 Aug '21

03 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 02-08-2021 18:00 − Dienstag 03-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply-Chain-Angriffe: EU-Behörde empfiehlt Code-Checks für Abhängigkeiten ∗∗∗ --------------------------------------------- Als Reaktion auf Angriffe wie bei Solarwinds hat die zuständige EU-Behörde einen einfachen Rat. Doch entsprechende Maßnahmen kann offenbar nicht mal Microsoft umsetzen. --------------------------------------------- https://www.golem.de/news/supply-chain-angriffe-eu-behoerde-empfiehlt-code-… ∗∗∗ Do You Trust Your Smart TV? ∗∗∗ --------------------------------------------- Did you ever stop to think that the office smart TV used for company presentations, Zoom meetings, and other work-related activities may not be so trustworthy? --------------------------------------------- https://securityaffairs.co/wordpress/120752/iot/smart-tv-security.html ∗∗∗ Android-Patchday: Google bessert unter anderem beim Media Framework nach ∗∗∗ --------------------------------------------- Updates für das mobile Betriebssystem zielen wieder einmal auf das Media Framework, beseitigen aber etwa auch kritische Lücken aus Qualcomm-Komponenten. --------------------------------------------- https://heise.de/-6154130 ∗∗∗ RDP brute force attacks explained ∗∗∗ --------------------------------------------- A simple and straightforward explanation of what RDP brute force attacks are, why they are so dangerous, and what you can do about them. --------------------------------------------- https://blog.malwarebytes.com/explained/2021/08/rdp-brute-force-attacks-exp… ∗∗∗ Gefälschte A1-Rechnung führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell werden gefälschte A1-E-Mails mit dem Betreff "Rechnung vom 04.07.2021" versendet. Im E-Mail wird behauptet, dass eine Zahlung nicht bearbeitet werden konnte. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-a1-rechnung-fuehrt-zu-sc… ∗∗∗ Raccoon stealer-as-a-service will now try to grab your cryptocurrency ∗∗∗ --------------------------------------------- The malware has been upgraded to target even more financial information. --------------------------------------------- https://www.zdnet.com/article/raccoon-stealer-as-a-service-will-now-try-to-… ∗∗∗ CISA and NSA Release Kubernetes Hardening Guidance ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have released Kubernetes Hardening Guidance, a cybersecurity technical report detailing the complexities of securely managing Kubernetes—an open-source, container-orchestration system used to automate deploying, scaling, and managing containerized applications. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/02/cisa-and-nsa-rele… ∗∗∗ Positive Technologies: APT group targeting government agencies around the world detected in Russia for the first time ∗∗∗ --------------------------------------------- Positive Technologies Expert Security Center (PT ESC) revealed new attacks by APT31 and analyzed its new tool—a malicious software that allows criminals to control a victim’s computer or network by using remote access. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-apt-group… ∗∗∗ PetitPotam-Angriffe auf Windows durch RPC-Filter blocken ∗∗∗ --------------------------------------------- Sicherheitsforscher haben kürzlich einen neuen Angriffsvektor namens PetitPotam offen gelegt. Mittels eines NTLM-Relay-Angriffs kann jeder Windows Domain Controller übernommen werden. --------------------------------------------- https://www.borncity.com/blog/2021/08/03/petitpotam-angriffe-auf-windows-du… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#405600: Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks ∗∗∗ --------------------------------------------- Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory. --------------------------------------------- https://kb.cert.org/vuls/id/405600 ∗∗∗ PwnedPiper: Rohrpostsysteme in US-Krankenhäusern über Firmware-Lücken angreifbar ∗∗∗ --------------------------------------------- Sicherheitslücken erlaubten Forschern die komplette Übernahme von "Translogic"-Rohrpostsystemen. Hersteller Swisslog Healthcare hat Updates veröffentlicht. --------------------------------------------- https://heise.de/-6153319 ∗∗∗ Chrome: Browser-Update für den Desktop schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Für die Windows-, Linux- und macOS-Ausgaben des Chrome-Browsers ist ein Update mit insgesamt zehn Security-Fixes verfügbar. --------------------------------------------- https://heise.de/-6153994 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, nodejs, nodejs-lts-erbium, and nodejs-lts-fermium), Debian (pyxdg, shiro, and vlc), openSUSE (qemu), Oracle (lasso), Red Hat (glibc, lasso, rh-php73-php, rh-varnish6-varnish, and varnish:6), Scientific Linux (lasso), SUSE (dbus-1, lasso, python-Pillow, and qemu), and Ubuntu (exiv2, gnutls28, and qpdf). --------------------------------------------- https://lwn.net/Articles/865029/ ∗∗∗ Code Execution Flaw Found in Cisco Firepower Device Manager On-Box Software ∗∗∗ --------------------------------------------- Cisco has addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software that could be exploited to gain code execution on vulnerable devices. --------------------------------------------- https://www.securityweek.com/code-execution-flaw-found-cisco-firepower-devi… ∗∗∗ Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo ∗∗∗ --------------------------------------------- In the following sections we will look at how I took the Buffalo devices apart, did a not-so-great solder job, and used a shell offered up on UART to help find a couple of bugs that could let users bypass authentication to the web interface and enable a root BusyBox shell on telnet. --------------------------------------------- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-ro… ∗∗∗ Spyware-ähnliche Funktionen in China-App Bejing One Pass gefunden ∗∗∗ --------------------------------------------- Ausländische Firmen, die in China tätig sind, benötigen die App Beijing One Pass, um Zugang zu einer digitalen Plattform für die Verwaltung der staatlichen Leistungen für Arbeitnehmer zu erhalten. Nun haben Sicherheitsspezialisten in dieser App Spyware ähnliche Funktionen gefunden. --------------------------------------------- https://www.borncity.com/blog/2021/08/02/spyware-hnliche-funktionen-in-chin… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-20227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: A vulnerabilty in encoding/unicode in the UTF-16 decoder has been found in x/text package before v0.3.3 for Go that could lead to an infinite loop and denial of service, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-in-encodin… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-20227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Vulnerability in ksh affects AIX (CVE-2021-29741) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksh-affe… ∗∗∗ JSA11209 ∗∗∗ --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11209 ∗∗∗ Linux kernel vulnerability CVE-2021-33909 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75133288?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2021
by Daily end-of-shift report 02 Aug '21

02 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-07-2021 18:00 − Montag 02-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Linux eBPF bug gets root privileges on Ubuntu - Exploit released ∗∗∗ --------------------------------------------- CVE-2021-3490. A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF (Extended Berkeley Packet Filter) that can give an attacker increased privileges on Ubuntu machines. ... If properly exploited, a local attacker could get kernel privileges to run arbitrary code on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-ebpf-bug-gets-root-pri… ∗∗∗ Remote print server gives anyone Windows admin privileges on a PC ∗∗∗ --------------------------------------------- A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a device simply by installing a print driver. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/remote-print-server-gives-a… ∗∗∗ New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits ∗∗∗ --------------------------------------------- A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks. --------------------------------------------- https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.h… ∗∗∗ PwnedPiper threatens thousands of hospitals worldwide, patch your systems now ∗∗∗ --------------------------------------------- Nine critical vulnerabilities in a popular hospital pneumatic tube software could give attackers control of infrastructure and allow them to launch additional attacks that cripple healthcare operations. Discovered by researchers at security platform provider Armis and dubbed PwnedPiper, the vulnerabilities are in the Nexus Control Panel software used by Translogic pneumatic tube systems (PTS) built by Swisslog Healthcare. --------------------------------------------- https://www.techrepublic.com/article/pwnedpiper-threatens-thousands-of-hosp… ∗∗∗ Vultur: Android-Trojaner späht Login-Daten für Bankkonten und E-Wallets aus ∗∗∗ --------------------------------------------- Die fernsteuerbare Malware Vultur für Android-Smartphones nutzt Funktionen zur Bildschirmaufzeichnung, um sensible Informationen auf Handys zu stehlen. --------------------------------------------- https://heise.de/-6152250 ∗∗∗ Palo Alto Networks Discloses New Attack Surface Targeting Microsoft IIS and SQL Server at Black Hat Asia 2021 ∗∗∗ --------------------------------------------- The technique allows attackers to remotely attack IIS and SQL Server to gain SYSTEM privileges by using Microsoft Jet database engine vulnerabilities. ... In response to this research, Microsoft released a complex patch to mitigate this attack surface. However, the patch is turned off by default and most Jet vulnerabilities are still not patched. We highly recommend that our customers proactively turn on mitigation to disable remote tables access in the registry and stay cautious of these kinds of attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/iis-and-sql-server/ ∗∗∗ Decryptor released for Prometheus ransomware victims ∗∗∗ --------------------------------------------- Taiwanese security firm CyCraft has released a free application that can help victims of the Prometheus ransomware recover and decrypt some of their files. --------------------------------------------- https://therecord.media/decryptor-released-for-prometheus-ransomware-victim… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit PDF Reader und Editor: Updates beseitigen zahlreiche Schwachstellen ∗∗∗ --------------------------------------------- Für Foxits PDF-Software für Windows und macOS stehen Aktualisierungen bereit, die unter anderem vor Remote Code Execution-Angriffen schützen sollen. --------------------------------------------- https://heise.de/-6152683 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (389-ds-base, consul, containerd, geckodriver, powerdns, vivaldi, webkit2gtk, and wpewebkit), Debian (aspell, condor, libsndfile, linuxptp, and lrzip), and Fedora (bluez, buildah, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, kernel, kernel-tools, mbedtls, mingw-exiv2, mingw-python-pillow, mrxvt, python-pillow, python2-pillow, redis, and seamonkey). --------------------------------------------- https://lwn.net/Articles/864898/ ∗∗∗ MISP: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0823 ∗∗∗ Security Bulletin: October 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-october-2020-patch-update… ∗∗∗ Security Bulletin: Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons/ ∗∗∗ Security Bulletin: Vulnerability in ksh affects AIX (CVE-2021-29741) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksh-affe… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js lodash module ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Potential vulnerability with FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Cloud Pak for Security has several security vulnerabilities addressed in the latest version ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-ha… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: January 2021 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-january-2021-patch-update… ∗∗∗ Security Bulletin: Oct 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oct-2020-patch-update-for… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Potential vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: October 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-october-2020-patch-update… ∗∗∗ Security Bulletin: User Behavior Analytics application add on to IBM QRadar SIEM performs improper CSRF checking for some components ( CVE-2021-29757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-user-behavior-analytics-a… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js lodash module ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by XML External Entity Injection vulnerability in WebSphere (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager DR ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: Potential vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager HA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2021
by Daily end-of-shift report 30 Jul '21

30 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-07-2021 18:00 − Freitag 30-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Infected With a .reg File ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Infected With a .reg File“: Yesterday, I reported a piece of malware that uses archive.org to fetch its next stage. Today, I spotted another file that is also interesting: A Windows Registry file (with a “.reg” extension). Such files are text files created by exporting values [...] --------------------------------------------- https://blog.rootshell.be/2021/07/30/sans-isc-infected-with-a-reg-file/ ∗∗∗ The Life Cycle of a Breached Database ∗∗∗ --------------------------------------------- Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Heres a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database. --------------------------------------------- https://krebsonsecurity.com/2021/07/the-life-cycle-of-a-breached-database/ ∗∗∗ Threat Spotlight: Solarmarker ∗∗∗ --------------------------------------------- Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger.A previous staging module, "d.m," used with this malware has been replaced by a new module dubbed "Mars." --------------------------------------------- https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html ∗∗∗ This Week in Security: Fail2RCE, TPM Sniffing, Fishy Leaks, and Decompiling ∗∗∗ --------------------------------------------- Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker [...] --------------------------------------------- https://hackaday.com/2021/07/30/this-week-in-security-fail2rce-tpm-sniffing… ∗∗∗ Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers ∗∗∗ --------------------------------------------- RiskIQs Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russias aggressive cyber campaigns topped the list of President Bidens strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/ ∗∗∗ NSA Releases Guidance on Securing Wireless Devices While in Public ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/30/nsa-releases-guid… ∗∗∗ Python team fixes bug that allowed takeover of PyPI repository ∗∗∗ --------------------------------------------- The Python security team has fixed today three vulnerabilities impacting the Python Package Index (PyPI), the official repository for Python libraries, including one that could have allowed a threat actor to take full control over the portal. --------------------------------------------- https://therecord.media/python-team-fixes-bug-that-allowed-takeover-of-pypi… ===================== = Vulnerabilities = ===================== ∗∗∗ Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php ∗∗∗ Cisco Web Security Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. (Version 1.1 - Added a new fixed release.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities Patched in WordPress Download Manager ∗∗∗ --------------------------------------------- On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations. --------------------------------------------- https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabi… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf). --------------------------------------------- https://lwn.net/Articles/864684/ ∗∗∗ PEPPERL+FUCHS: Security Advisory for PrintNightmare Vulnerability in multiple HMI Devices ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-034 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Hitachi ABB Power Grids eSOMS management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-01 ∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for Buffer Over-read vulnerabilities in Wibu-Systems CodeMeter Runtime license manager software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02 ∗∗∗ Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29736) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: i2 Analyze has an information disclosure vulnerability (CVE-2019-17638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyze-has-an-informa… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ( CVE-2021-20417, CVE-2021-20415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2021
by Daily end-of-shift report 29 Jul '21

29 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-07-2021 18:00 − Donnerstag 29-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Verschlüsselung: Windows-Verschlüsselung Bitlocker trotz TPM-Schutz umgangen ∗∗∗ --------------------------------------------- Eine mit Bitlocker verschlüsselte SSD mit TPM-Schutz lässt sich relativ einfach knacken. Ein Passwort schützt, ist aber nicht der Standard. --------------------------------------------- https://www.golem.de/news/verschluesselung-windows-verschluesselung-bitlock… ∗∗∗ Voucher von EUSC 2021 für kostenlose Hotelübernachtungen? Versteckte Kosten! ∗∗∗ --------------------------------------------- Auf Facebook und Instagram wird von „EUCS 2021“ eine Umfrage zu Tourismuspräferenzen beworben. Als Dankeschön für die Teilnahme wird ein Voucher für 3 kostenlose Übernachtungen für 2 Personen versprochen. Beim Einlösen dieses Gutscheins werden jedoch unterschiedliche Gebühren fällig. --------------------------------------------- https://www.watchlist-internet.at/news/voucher-von-eusc-2021-fuer-kostenlos… ∗∗∗ Microsoft Security Update Revisions (29. Juli 2021) ∗∗∗ --------------------------------------------- Kurzinformation für Windows-Admins im Firmenumfeld. Microsoft hat die Nacht zum 29.7.2021 revidierte Sicherheitsupdates zur Abschwächung der NTLM Relay Attacken auf Active Directory-Zertifikate und zur Schwachstelle CVE-2021-36934 (Windows Elevation of Privilege Vulnerability) veröffentlicht. Ich stelle es man unkommentiert hier zur Info [...] --------------------------------------------- https://www.borncity.com/blog/2021/07/29/microsoft-security-update-revision… ∗∗∗ DoppelPaymer ransomware gang rebrands as the Grief group ∗∗∗ --------------------------------------------- After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief). --------------------------------------------- https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-gang… ∗∗∗ Tools To Quickly Extract Indicators of Compromise ∗∗∗ --------------------------------------------- Brush up on indicators of compromise, their relationship to your internal threat intelligence, and tools to help you quickly extract them from PDFs and plain text. --------------------------------------------- https://www.domaintools.com/resources/blog/tools-to-quickly-extract-indicat… ∗∗∗ APT trends report Q2 2021 ∗∗∗ --------------------------------------------- This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2021/103517/ ∗∗∗ Reboot of PunkSpider Tool at DEF CON Stirs Debate ∗∗∗ --------------------------------------------- Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON. --------------------------------------------- https://threatpost.com/punkspider-def-con-debate/168223/ ∗∗∗ Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them ∗∗∗ --------------------------------------------- Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them. --------------------------------------------- https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/1… ∗∗∗ BazaCall: Phony call centers lead to exfiltration and ransomware ∗∗∗ --------------------------------------------- Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-cent… ∗∗∗ Malicious Content Delivered Through archive.org, (Thu, Jul 29th) ∗∗∗ --------------------------------------------- archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself. --------------------------------------------- https://isc.sans.edu/diary/rss/27688 ∗∗∗ Stylish Magento Card Stealer loads Without Script Tags ∗∗∗ --------------------------------------------- Recently one of our analysts, Weston H., found a very interesting credit card stealer in a Magento environment which loads a malicious JavaScript without using any script tags. In this post I will go over how it was found, how to decode it and how it works! --------------------------------------------- https://blog.sucuri.net/2021/07/stylish-magento-card-stealer-loads-without-… ∗∗∗ Crimea "manifesto" deploys VBA Rat using double attack vectors ∗∗∗ --------------------------------------------- On July 21, 2021, we identified a suspicious document named "Манифест.docx" ("Manifest.docx") that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-… ∗∗∗ “Netfilter Rootkit II ” Continues to Hold WHQL Signatures ∗∗∗ --------------------------------------------- Recently, 360 Security Center discovered that a malicious driver “Netfilter rootkit” with WHQL signature was revealed in mid-June. WHQL signature means that after the [...] --------------------------------------------- https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold… ∗∗∗ Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers ∗∗∗ --------------------------------------------- Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone --------------------------------------------- https://www.securityweek.com/turn-turn-simple-step-can-thwart-top-phone-hac… ∗∗∗ McAfee: Babuk ransomware decryptor causes encryption beyond repair ∗∗∗ --------------------------------------------- Babuk announced earlier this year that it would be targeting Linux/UNIX and ESXi or VMware systems with ransomware. --------------------------------------------- https://www.zdnet.com/article/mcafee-babuk-ransomware-decryptor-causes-encr… ∗∗∗ New Android malware records smartphones via VNC to steal passwords ∗∗∗ --------------------------------------------- Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record a victims smartphone screen in order to collect and steal their passwords. --------------------------------------------- https://therecord.media/new-android-malware-records-smartphones-via-vnc-to-… ∗∗∗ Communication during a hacker attack ∗∗∗ --------------------------------------------- You cannot trust your office PC during a major incident. You can neither trust your usual communication and collaboration tools. If an attacker can authenticate on any domain-joined device with any domain user, the game is over. --------------------------------------------- https://securityguide.me/issues/communication-during-a-hacker-attack ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-909: (0Day) Microsoft 3D Viewer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft 3D Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-909/ ∗∗∗ Drupal: Wichtiges Sicherheitsupdate für "Pages Restriction Access"-Modul ∗∗∗ --------------------------------------------- Ein Update für "Pages Restriction Access" für die 8er-Versionsreihe des CMS Drupal beseitigt Zugriffsmöglichkeiten über eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-6150416 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and [...] --------------------------------------------- https://lwn.net/Articles/864577/ ∗∗∗ Tomcat vulnerability CVE-2021-30640 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35033051 ∗∗∗ Apache Tomcat vulnerability CVE-2021-30639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87895241 ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Elastic Storage System (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-20505 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2021
by Daily end-of-shift report 28 Jul '21

28 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-07-2021 18:00 − Mittwoch 28-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Haron and BlackMatter are the latest groups to crash the ransomware party ∗∗∗ --------------------------------------------- The additions come as the number of high-severity ransomware attacks ratchet up. --------------------------------------------- https://arstechnica.com/?p=1783582 ∗∗∗ LockBit ransomware now encrypts Windows domains using group policies ∗∗∗ --------------------------------------------- An new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encry… ∗∗∗ Sicherheitswarnung: BSI sieht kaum Schutzmöglichkeiten vor Pegasus ∗∗∗ --------------------------------------------- Das BSI hat eine offizielle Warnung vor der Spionagesoftware Pegasus veröffentlicht. Die Bedrohungslage wird aber nicht als kritisch eingestuft. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-bsi-sieht-kaum-schutzmoeglichk… ∗∗∗ UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild ∗∗∗ --------------------------------------------- An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. --------------------------------------------- https://thehackernews.com/2021/07/ubel-is-new-oscorp-android-credential.html ∗∗∗ Top 25 der Sicherheitslücken: Buffer Overflows als größte Gefahrenquelle ∗∗∗ --------------------------------------------- Eine kürzlich veröffentlichte Auswertung von häufigen Softwareschwachstellen liefert eine Übersicht über die 25 gefährlichsten Arten. --------------------------------------------- https://heise.de/-6148053 ∗∗∗ Vorsicht bei der Urlaubsbuchung: BetrügerInnen geben sich als türkische Luxus-Hotels aus! ∗∗∗ --------------------------------------------- Wer einen Urlaub in der Türkei buchen will, sollte sich vor BetrügerInnen in Acht nehmen, die Webseiten türkischer Luxus-Hotels kopieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-betr… ∗∗∗ THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group ∗∗∗ --------------------------------------------- We provide a technical overview of the previously unseen PlugX variant THOR, indicators of compromise and a new tool for payload decryption. --------------------------------------------- https://unit42.paloaltonetworks.com/thor-plugx-variant/ ∗∗∗ Ransomware Families: 2021 Data to Supplement the Unit 42 Ransomware Threat Report ∗∗∗ --------------------------------------------- We discuss the propagation of different ransomware families we observed in the wild in early 2021 and the different types of extortion used. --------------------------------------------- https://unit42.paloaltonetworks.com/ransomware-families/ ∗∗∗ Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) have released the Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/28/top-routinely-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Microsoft Hyper-V bug could haunt orgs for a long time ∗∗∗ --------------------------------------------- Technical details are now available for a vulnerability that affects Hyper-V, Microsofts native hypervisor for creating virtual machines on Windows systems and in Azure cloud computing environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-b… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang), Mageia (curl, filezilla, jdom/jdom2, netty, pdfbox, perl-Mojolicious, perl-Net-CIDR-Lite, perl-Net-Netmask, python-urllib3, python3, quassel, transfig, and virtualbox), openSUSE (umoci), Red Hat (rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and SUSE (firefox, glibc, libsndfile, linuxptp, qemu, and umoci). --------------------------------------------- https://lwn.net/Articles/864497/ ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Mgmt (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Vulnerability deferred from Oracle Oct 2020 CPU for Java 8 (CVE-2020-14781 ) may affect IBM® SDK, Java™ Technology Edition and IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-deferred-fr… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Analyst's Notebook Premium uses a component with known vulnerabilities (CVE-2020-16013, CVE-2020-16009, CVE-2020-15999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analysts-notebook-pre… ∗∗∗ Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-gu… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: HTTP Header Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2021-20560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-http-header-vulnerability… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM i2 Analyze (CVE-2021-29766) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons IO ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tie… ∗∗∗ Security Bulletin: i2 Analyse and Analyst's Notebook Premium have hyperlink clicking vulnerability (CVE-2021-29770) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyse-and-analysts-n… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ SECURITY BULLETIN: July 28, 2021, Security Bulletin for Worry-Free Business Security ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000287820 ∗∗∗ SECURITY BULLETIN: July 28, 2021, Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000287819 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0814 ∗∗∗ KUKA KR C4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01 ∗∗∗ Mitsubishi Electric GOT2000 series and GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-02 ∗∗∗ Geutebrück G-Cam E2 and G-Code ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-04 ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2021
by Daily end-of-shift report 27 Jul '21

27 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-07-2021 18:00 − Dienstag 27-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Failed Malspam: Recovering The Password, (Mon, Jul 26th) ∗∗∗ --------------------------------------------- Jan's diary entry "One way to fail at malspam - give recipients the wrong password for an encrypted attachment" got my attention: it's an opportunity for me to do some password cracking. --------------------------------------------- https://isc.sans.edu/diary/rss/27674 ∗∗∗ Hiding Malware in ML Models ∗∗∗ --------------------------------------------- “EvilModel: Hiding Malware Inside of Neural Network Models”. --------------------------------------------- https://www.schneier.com/blog/archives/2021/07/hiding-malware-in-ml-models.… ∗∗∗ OSX.XLoader hides little except its main purpose: What we learned in the installation process ∗∗∗ --------------------------------------------- We dig into OSX.XLoader, also known as X Loader, which is the latest threat to macOS that bears some similarities to novice malware. --------------------------------------------- https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-i… ∗∗∗ Malware developers turn to exotic programming languages to thwart researchers ∗∗∗ --------------------------------------------- They are focused on exploiting pain points in code analysis and reverse-engineering. --------------------------------------------- https://www.zdnet.com/article/malware-developers-turn-to-exotic-programming… ∗∗∗ Wie MSPs am besten mit der Ransomware-Krise umgehen können ∗∗∗ --------------------------------------------- Managed Service Provider (MSPs) spielen eine kritische Rolle im Kampf gegen Schadsoftware. Allerdings traf die Ransomware-Attacke auf Kaseya dutzende von MSPs mit voller Wucht und dadurch mittelbar auch deren Kunden. --------------------------------------------- https://www.zdnet.de/88395971/wie-msps-am-besten-mit-der-ransomware-krise-u… ∗∗∗ Praying Mantis APT targets IIS servers with ASP.NET exploits ∗∗∗ --------------------------------------------- A new advanced persistent threat (APT) group has been seen carrying out attacks against Microsoft IIS web servers using old exploits in ASP.NET applications in order to plant a backdoor and then pivot to companys internal networks. --------------------------------------------- https://therecord.media/praying-mantis-apt-targets-iis-servers-with-asp-net… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes zero-day affecting iPhones and Macs, exploited in the wild ∗∗∗ --------------------------------------------- Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-affecting-… ∗∗∗ Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities ∗∗∗ --------------------------------------------- Security researchers warn of new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-warn-of-unpatche… ∗∗∗ Moodle: Neue Versionen beseitigen Remote-Angriffsmöglichkeit via Shibboleth ∗∗∗ --------------------------------------------- Mehrere Versionen der Lernplattform sind, allerdings nur bei aktivierter Shibboleth-Authentifizierung, aus der Ferne angreifbar. Updates stehen bereit. --------------------------------------------- https://heise.de/-6148879 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/864439/ ∗∗∗ Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email ∗∗∗ --------------------------------------------- Vulnerabilities in the Zimbra enterprise webmail solution could allow an attacker to gain unrestricted access to an organization’s sent and received email messages, software security firm SonarSource reveals. --------------------------------------------- https://www.securityweek.com/vulnerabilities-allow-hacking-zimbra-webmail-s… ∗∗∗ Security Bulletin: A security vulnerability in Golang Go affects IBM Cloud Pak for Multicloud Management Managed services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: XSS Security Vulnerabilty Affects Mailbox UI of IBM Sterling B2B Integrator (CVE-2021-20562) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-security-vulnerabilty… ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-grub2-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20399) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ MIT Kerberos: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0809 ∗∗∗ VLC: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0807 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0812 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2021
by Daily end-of-shift report 26 Jul '21

26 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-07-2021 18:00 − Montag 26-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Windows-Netze verwundbar für Relay-Angriff PetitPotam ∗∗∗ --------------------------------------------- Forscher demonstrieren einen neuen Weg, sich zum König einer Windows-Domäne aufzuschwingen. Microsoft zuckt mit den Achseln und verweist auf Härtungsmaßnahmen. --------------------------------------------- https://heise.de/-6147467 ∗∗∗ GitLab schickt Package Hunter auf die Jagd nach Schadcode ∗∗∗ --------------------------------------------- Das neue Open-Source-Tool Package Hunter soll Schadcode in Dependencies erkennen können. --------------------------------------------- https://heise.de/-6147526 ∗∗∗ No More Ransom: We Prevented Ransomware Operators From Earning $1 Billion ∗∗∗ --------------------------------------------- No More Ransom is celebrating its 5th anniversary and the project says it has helped more than 6 million ransomware victims recover their files and prevented cybercriminals from earning roughly $1 billion. No More Ransom is a joint effort of law enforcement and cybersecurity companies whose goal is to help victims of ransomware attacks recover their files without having to pay the ransom demanded by criminals. --------------------------------------------- https://www.securityweek.com/no-more-ransom-we-prevented-ransomware-operato… ∗∗∗ Microsoft warns of weeks-long malspam campaign abusing HTML smuggling ∗∗∗ --------------------------------------------- The Microsoft security team said it detected a weeks-long email spam campaign abusing a technique known as “HTML smuggling” to bypass email security systems and deliver malware to user devices. HTML smugging, as explained by SecureTeam and Outflank, is a technique that allows threat actors to assemble malicious files on users’ device by clever use of HTML5 and JavaScript code. --------------------------------------------- https://therecord.media/microsoft-warns-of-weeks-long-malspam-campaign-abus… ∗∗∗ RemotePotato0: Privilege Escalation-Schwachstelle im Windows RPC Protocol ∗∗∗ --------------------------------------------- Jedes Windows-System ist anfällig für eine bestimmte NTLM-Relay-Attacke, die es Angreifern ermöglichen könnte, die Privilegien vom Benutzer zum Domain-Admin zu erweitern. Diese Schwachstelle besitzt den Status „wird nicht behoben“ und war Gegenstand des PetitPotam-Ansatzes, den ich am Wochenende thematisiert hatte. Nun hat Antonio Cocomazzi auf die RemotePotato0 genannte Schwachstelle hingewiesen. Diese verwendet das Windows RPC Protocol für eine Privilegien-Ausweitung. --------------------------------------------- https://www.borncity.com/blog/2021/07/26/remotepotato0-privilege-escalation… ===================== = Vulnerabilities = ===================== ∗∗∗ Collabora Online: Update schützt vor unbefugten Dateizugriffen aus der Ferne ∗∗∗ --------------------------------------------- Das Collabora Online-Team rät zur Aktualisierung der Online-Officeanwendung, um eine als "kritisch" eingestufte Remote-Angriffsmöglichkeit zu beseitigen. --------------------------------------------- https://heise.de/-6147967 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird). --------------------------------------------- https://lwn.net/Articles/864346/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0805 ∗∗∗ Security Bulletin: FasterXML Vulnerability in Jackson-Databind Affects IBM Sterling Connect:Direct File Agent (CVE-2018-7489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-fasterxml-vulnerability-i… ∗∗∗ Security Bulletin: Apache Commons Configuration Vulnerability Affects IBM Sterling Connect:Direct File Agent (CVE-2020-1953) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-configurat… ∗∗∗ Security Bulletin: IBM i2 Analyze missing security header (CVE-2021-29769) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-missing-se… ∗∗∗ Security Bulletin: IBM i2 Analyze and i2 Analyst's Notebook Premium has session handling vulnerability (CVE-2021-20431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-i2-ana… ∗∗∗ Security Bulletin: Apache PDFBox as used by IBM QRadar Incident Forensics is vulnerable to denial of service (CVE-2021-27807, CVE-2021-27906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-as-used-by-… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM i2 iBase vulnerable to DLL highjacking (CVE-2020-4623) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-ibase-vulnerable-t… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29784) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2021-20337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-weak… ∗∗∗ Security Bulletin: IBM i2 Analyze has an information disclosure vulnerability (CVE-2021-20430) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-has-an-inf… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2021
by Daily end-of-shift report 23 Jul '21

23 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-07-2021 18:00 − Freitag 23-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nach Lieferkettenangriff: Kaseya will Daten retten dank Entschlüsselungs-Tool ∗∗∗ --------------------------------------------- Fast drei Wochen nach dem verheerenden LIeferkettenangriff auf Kunden von Kaseya gibt es Hoffnung für die Opfer. Die US-Firma hat einen Generalschlüssel. --------------------------------------------- https://heise.de/-6145950 ∗∗∗ The NSO “Surveillance List”: What It Is and Isn’t ∗∗∗ --------------------------------------------- A series of blockbuster stories published this week around a leaked list of 50,000 phone numbers have created confusion about whether the owners of those numbers were targets of surveillance or not. --------------------------------------------- https://zetter.substack.com/p/the-nso-surveillance-list-what-it ∗∗∗ Phish Swims Past Email Security With Milanote Pages ∗∗∗ --------------------------------------------- The “Evernote for creatives” is anchoring a rapidly spiking phishing campaign, evading SEGs with ease. --------------------------------------------- https://threatpost.com/phish-email-security-milanote/168021/ ∗∗∗ When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure ∗∗∗ --------------------------------------------- LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-… ∗∗∗ Uncovering Shenanigans in an IP Address Block via Hurricane Electrics BGP Toolkit (II), (Fri, Jul 23rd) ∗∗∗ --------------------------------------------- Today's diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them. --------------------------------------------- https://isc.sans.edu/diary/rss/27664 ∗∗∗ Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software ∗∗∗ --------------------------------------------- A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "refinements in its tactics." --------------------------------------------- https://thehackernews.com/2021/07/nasty-macos-malware-xcsset-now-targets.ht… ∗∗∗ Wake up! Identify API Vulnerabilities Proactively, From Production Back to Code ∗∗∗ --------------------------------------------- After more than 20 years in the making, now its official: APIs are everywhere. In a 2021 survey, 73% of enterprises reported that they already publish more than 50 APIs, and this number is constantly growing. APIs have crucial roles to play in virtually every industry today, and their importance is increasing steadily, as they move to the forefront of business strategies. --------------------------------------------- https://thehackernews.com/2021/07/wake-up-identify-api-vulnerabilities.html ∗∗∗ This Week in Security: NSO, Print Spooler, and a Mysterious Decryptor ∗∗∗ --------------------------------------------- The NSO Group has been in the news again recently, with multiple stories reporting on their Pegasus spyware product. The research and reporting spearheaded by Amnesty International is collectively known [...] --------------------------------------------- https://hackaday.com/2021/07/23/this-week-in-security-nso-print-spooler-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Customer Voice Portal Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, [...] --------------------------------------------- https://lwn.net/Articles/864158/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004 ∗∗∗ --------------------------------------------- Date Reported: July 23, 2021 Advisory ID: WSA-2021-0004 CVE identifiers: CVE-2021-1817, CVE-2021-1820,CVE-2021-1825, CVE-2021-1826,CVE-2021-21775, CVE-2021-21779,CVE-2021-21806, CVE-2021-30661,CVE-2021-30663, CVE-2021-30665,CVE-2021-30666, CVE-2021-30682,CVE-2021-30689, CVE-2021-30720,CVE-2021-30734, CVE-2021-30744,CVE-2021-30749, CVE-2021-30758,CVE-2021-30761, CVE-2021-30762,CVE-2021-30795, CVE-2021-30797,CVE-2021-30799. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0004.html ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210721… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Microsoft Chrome Based Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0800 ∗∗∗ Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0799 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2021
by Daily end-of-shift report 22 Jul '21

22 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-07-2021 18:00 − Donnerstag 22-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco: Wichtiges Sicherheitsupdate für Intersight Virtual Appliance verfügbar ∗∗∗ --------------------------------------------- Für die virtuelle Cisco Intersight-Appliance, aber auch für weitere Produkte des Netzwerkausrüsters stehen sicherheitsrelevante Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6144993 ∗∗∗ HP, Samsung & Xerox: Lücke in Windows-Druckertreibern gefixt – nach 16 Jahren ∗∗∗ --------------------------------------------- Wer die seit Mitte Mai verfügbaren Druckertreiber-Updates noch nicht installiert hat, sollte dies zügig nachholen: Angreifer könnten Systeme übernehmen. --------------------------------------------- https://heise.de/-6145114 ∗∗∗ Recovery Scams: Weitere Schäden statt Geld zurück! ∗∗∗ --------------------------------------------- Wer Opfer einer betrügerischen Investitionsplattform wird, erleidet mitunter beträchtlichen finanziellen Schaden. Damit nicht genug, folgen wenig später E-Mails oder Anrufe der Kriminellen, die hinter dem Investitionsbetrug steckten. Diesmal geben sie sich jedoch nicht als InvestmentberaterInnen aus, sondern Schlüpfen in eine andere Rolle: Gegen Vorabzahlung versprechen sie Hilfe beim Zurückholen des verlorenen Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-weitere-schaeden-stat… ∗∗∗ MITRE updates list of top 25 most dangerous software bugs ∗∗∗ --------------------------------------------- MITRE has shared this years top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitre-updates-list-of-top-25… ∗∗∗ Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug ∗∗∗ --------------------------------------------- A privilege elevation bug in Windows 10 opens all systems to attackers to access data and create new accounts on systems. --------------------------------------------- https://threatpost.com/win-10-serioussam/168034/ ∗∗∗ Compromising a Network Using an "Info" Level Finding ∗∗∗ --------------------------------------------- Anyone who has ever read a vulnerability scan report will know that scanners often include a large number of findings they classify as "Info". Typically this is meant to convey general information about the target systems which does not pose any risk. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/compromisin… ∗∗∗ Vulnerable Plugin Exploited in Spam Redirect Campaign ∗∗∗ --------------------------------------------- Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin. --------------------------------------------- https://blog.sucuri.net/2021/07/vulnerable-plugin-exploited-in-spam-redirec… ∗∗∗ Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws ∗∗∗ --------------------------------------------- Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system. Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services thats remotely exploitable without authentication. It's worth noting that the weakness was originally addressed as part of an out-of-band security update in June 2019. --------------------------------------------- https://thehackernews.com/2021/07/oracle-warns-of-critical-remotely.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow and redis), Fedora (kernel-headers, kernel-tools, kernelshark, libbpf, libtraceevent, libtracefs, nextcloud, and trace-cmd), Gentoo (chromium and singularity), Mageia (kernel, kernel-linus, and systemd), openSUSE (caribou, chromium, curl, and qemu), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and systemd), Slackware (curl), SUSE (curl, kernel, linuxptp, python-pip, and qemu), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/863997/ ∗∗∗ Atlassian Patches Critical Vulnerability in Jira Data Center Products ∗∗∗ --------------------------------------------- Software development and collaboration solutions provider Atlassian on Wednesday informed customers that it has patched a critical code execution vulnerability affecting some of its Jira products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-critical-vulnerability-jira-… ∗∗∗ IDEMIA fixed biometric identification devices vulnerabilities discovered by Positive Technologies ∗∗∗ --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/idemia-fixed-biometric-identifi… ∗∗∗ July 22, 2021 TNS-2021-14 [R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-14 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0793 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0797 ∗∗∗ MB connect line: Apache Guacamole related vulnerabilities in mbCONNECT24, mymbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-031 ∗∗∗ MB connect line: two vulnerabilities in mymbCONNECT24, mbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-030 ∗∗∗ MB connect line: Privilege escalation in mbDIALUP <= 3.9R0.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-017 ∗∗∗ ZDI-21-893: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-893/ ∗∗∗ ZDI-21-892: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-892/ ∗∗∗ ZDI-21-891: (0Day) Apple macOS ImageIO TIFF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-891/ ∗∗∗ ZDI-21-890: (0Day) Apple macOS AudioToolboxCore LOAS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-890/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (April 2021) affects IBM InfoSphere Information Server (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2021-20227 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Directory Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2021
by Daily end-of-shift report 21 Jul '21

21 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-07-2021 18:00 − Mittwoch 21-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trügerische Gewinnversprechen ∗∗∗ --------------------------------------------- Der Onlinehandel mit Finanzinstrumenten wird bei Anlegern immer beliebter. Diesen Trend machen sich Betrüger zunutze. Sie versprechen hohe Gewinne mit betrügerischen Cybertrading-Plattformen. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=4661724A4D466861696B4D3D ∗∗∗ XLoader malware steals logins from macOS and Windows systems ∗∗∗ --------------------------------------------- A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xloader-malware-steals-login… ∗∗∗ NPM package steals Chrome passwords on Windows via recovery tool ∗∗∗ --------------------------------------------- New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-package-steals-chrome-pa… ∗∗∗ Betrügerische E-Mail im Namen der Raiffeisen Bank im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen finden derzeit ein vermeintliches E-Mail der Raiffeisen Bank in ihrem Posteingang. Darin wird behauptet, dass aufgrund aktueller Betrugsversuche ein neues Sicherheitssystem notwendig sei. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mail-im-namen-der-r… ∗∗∗ CVE-2021-31969: Underflowing in the Clouds ∗∗∗ --------------------------------------------- You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native API known as the Cloud Filter API. --------------------------------------------- https://www.thezdi.com/blog/2021/7/19/cve-2021-31969-underflowing-in-the-cl… ∗∗∗ New Attacks on Kubernetes via Misconfigured Argo Workflows ∗∗∗ --------------------------------------------- Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. --------------------------------------------- https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Nasty Linux Systemd Security Bug Revealed ∗∗∗ --------------------------------------------- Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. --------------------------------------------- https://it.slashdot.org/story/21/07/20/211230/nasty-linux-systemd-security-… ∗∗∗ Vulnerability in ON24 Plugin for macOS Shares More Than Just Your Screen ∗∗∗ --------------------------------------------- ON24 presenter mode requires you to install a plugin that is used to share your screen. For the macOS app (DesktopScreenShare.app), the plugin is started automatically once a user logs on. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ HiveNightmare: Nutzer können die Windows-Passwort-Datenbank auslesen ∗∗∗ --------------------------------------------- Fehlerhafte Zugriffsrechte verursachen eine Sicherheitslücke in Windows 10 und 11. Einen Patch gibt es noch nicht – wir zeigen aber erste Workarounds. --------------------------------------------- https://heise.de/-6143746 ∗∗∗ Sicherheitsupdates: Adobe patcht Photoshop & Co. außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten Computer, auf denen unter anderem Adobe After Effects oder Prelude laufen, mit Schadcode attackieren. --------------------------------------------- https://heise.de/-6143780 ∗∗∗ Root-Kernel-Lücke bedroht viele Linux-Distributionen ∗∗∗ --------------------------------------------- Sicherheitsforscher demonstrieren erfolgreiche Attacken auf Debian, Fedora und Ubuntu. Im Anschluss hatten sie Root-Rechte. Patches schaffen Abhilfe. --------------------------------------------- https://heise.de/-6144023 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc,[...] --------------------------------------------- https://lwn.net/Articles/863861/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari 14.1.2 and iOS 14.7. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/apple-releases-se… ∗∗∗ Malware Targeting Pulse Secure Devices ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting… ∗∗∗ VU#914124: Arcadyan-based routers and modems vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/914124 ∗∗∗ Dell OpenManage Enterprise Hardcoded Credentails / Privilege Escalation / Deserialization ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021070121 ∗∗∗ Security Bulletin: Multiple vulnerabilities in F5 NGINX Controller affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nvidia GPU Display Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0769 ∗∗∗ PuTTY: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0790 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-201-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2021
by Daily end-of-shift report 20 Jul '21

20 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-07-2021 18:00 − Dienstag 20-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New MosaicLoader malware targets software pirates via online ads ∗∗∗ --------------------------------------------- An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mosaicloader-malware-tar… ∗∗∗ Summer of SAM - incorrect permissions on Windows 10/11 hives, (Tue, Jul 20th) ∗∗∗ --------------------------------------------- If you opened Twitter today you were probably flooded with news about the latest security issue with Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/27652 ∗∗∗ 6 typische Phishing-Attacken ∗∗∗ --------------------------------------------- Phishing, Smishing, Vishing - kennen Sie den Unterschied? --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware ∗∗∗ --------------------------------------------- The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771). --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-fro… ∗∗∗ Don’t Wanna Pay Ransom Gangs? Test Your Backups. ∗∗∗ --------------------------------------------- Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only theyd had proper data backups. --------------------------------------------- https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-b… ∗∗∗ Vorsicht vor gefälschtem „Voicemail“ SMS ∗∗∗ --------------------------------------------- „Sie haben eine neue Voicemail“: Dieses lästige Fake-SMS mit einem Link zu einer angeblichen Sprachnachricht erhalten momentan unzählige HandynutzerInnen. Klicken Sie keinesfalls auf den Link. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-voicemail-… ∗∗∗ AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department ∗∗∗ --------------------------------------------- This Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-200a ∗∗∗ Significant Historical Cyber-Intrusion Campaigns Targeting ICS ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-histo… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories for 2021-07-20 ∗∗∗ --------------------------------------------- TYPO3-CORE-SA-2021-009 - TYPO3-CORE-SA-2021-012 --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Forensischer Bericht: iMessage-Lücke für Pegasus Spyware wird weiterhin genutzt ∗∗∗ --------------------------------------------- Amnesty International geht davon aus, dass eine iMessage-Lücke zur Installation von Spyware der Überwachungsfirma NSO Group bis heute ausgenutzt wird. --------------------------------------------- https://heise.de/-6141467 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libjdom1-java, rabbitmq-server, and systemd), Fedora (glibc), Gentoo (libpano13, libslirp, mpv, pjproject, pycharm-community, and rpm), Mageia (glibc, libuv, mbedtls, rvxt-unicode, mxrvt, eterm, tomcat, and zziplib), openSUSE (dbus-1, firefox, go1.15, lasso, nodejs10, nodejs12, nodejs14, and sqlite3), SUSE (go1.15), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/863617/ ∗∗∗ Oracle Releases July 2021 Critical Patch Update ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update for July 2021 to address 327 vulnerabilities across multiple products. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/oracle-releases-j… ∗∗∗ Hundreds of millions of HP, Xerox, and Samsung printers vulnerable to new bug ∗∗∗ --------------------------------------------- Security experts have found a severe vulnerability in a common printer driver used by HP, Xerox, and Samsung. --------------------------------------------- https://therecord.media/hundreds-of-millions-of-hp-xerox-and-samsung-printe… ∗∗∗ New Sequoia bug gives you root access on most Linux systems ∗∗∗ --------------------------------------------- Security auditing firm Qualys said today it discovered a new vulnerability in the Linux operating system that can grant attackers root access on most distros, such as Ubuntu, Debian, and Fedora. --------------------------------------------- https://therecord.media/new-sequoia-bug-gives-you-root-access-on-most-linux… ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht FortiManager und FortiAnalyzer ∗∗∗ --------------------------------------------- https://heise.de/-6142498 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems used by IBM Cloud Pak System (Jan2021 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale could allow an authenticated user to gain elevated privileges (CVE-2020-9492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Pak System (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerabilities in Docker affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-docker… ∗∗∗ Security Bulletin: Vulnerabilities in Python affect OS Image for RedHat bundled with Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: Watson Explorer is affected by Apache PDFBox vulnerabilities (CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-explorer-is-affect… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects Cloud Pak System (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in node.js and OpenSSL (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-670099.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2021
by Daily end-of-shift report 19 Jul '21

19 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-07-2021 18:00 − Montag 19-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Innenministerium warnt vor betrügerischen SMS ∗∗∗ --------------------------------------------- Es sind erneut Betrugs-SMS im Umlauf, wobei Menschen in Österreich immer wieder Benachrichtigungen mit Informationen zu einer verpassten Sprachnachricht erhalten. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=50783968547451414D42673D ∗∗∗ VU#131152: Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files ∗∗∗ --------------------------------------------- Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. --------------------------------------------- https://kb.cert.org/vuls/id/131152 ∗∗∗ Betrug per Whatsapp: "Ich hab mein Handy verloren, kannst du Geld überweisen?" ∗∗∗ --------------------------------------------- Mit vorgeblichen Hilferufen von Verwandten versuchen Trickbetrüger per Whatsapp, Menschen um ihr Geld zu bringen - oft mit Erfolg, sagt die Polizei. --------------------------------------------- https://www.golem.de/news/betrug-per-whatsapp-ich-hab-mein-handy-verloren-k… ∗∗∗ That iPhone WiFi crash bug is far worse than initially thought ∗∗∗ --------------------------------------------- An innocuous iPhone bug that could crash the WiFi service has turned out to be far worse than initially thought after mobile security firm ZecOps showed on Friday how the bug could be abused for remote code execution attacks. --------------------------------------------- https://therecord.media/that-iphone-wifi-crash-bug-is-far-worse-than-initia… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-815: Cisco WebEx Network Recording Player ARF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-815/ ∗∗∗ ZDI-21-876: (0Day) Advantech WebAccess/NMS DashBoardAction Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-876/ ∗∗∗ ZDI-21-879: (0Day) WSO2 API Manager JMX Use of Hard-coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of WSO2 API Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-879/ ∗∗∗ ZDI-21-877: (0Day) Autodesk Meshmixer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Meshmixer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-877/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, mbedtls, nextcloud, python-pillow, ruby, ruby2.6, ruby2.7, systemd, thunderbird, varnish, and vivaldi), Debian (thunderbird), Fedora (chromium, firefox, and linux-firmware), Gentoo (apache, commons-fileupload, dovecot, and mediawiki), openSUSE (firefox, fossil, go1.16, and icinga2), Oracle (firefox, kernel, and kernel-container), Red Hat (nettle), and SUSE (firefox and go1.16). --------------------------------------------- https://lwn.net/Articles/863453/ ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. --------------------------------------------- https://support.citrix.com/article/CTX319135 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE results in a low confidentiality impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Handlebars.js ( CVE-2019-19919, CVE-2021-32820) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM Security SOAR could allow a privileged user to import non-approved Python2 modules (CVE-2021-29780). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-a… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud Tier CVE-2021-21409 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in shell affects Power Hardware Management Console ( CVE-2021-29707). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-shell-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2021
by Daily end-of-shift report 16 Jul '21

16 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-07-2021 18:00 − Freitag 16-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warten auf Patches: Neue Drucker-Lücke in Windows entdeckt ∗∗∗ --------------------------------------------- Abermals könnten Angreifer Windows über eine Drucker-Schwachstelle attackieren und Schadcode ausführen. Bislang gibt es nur einen Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6140346 ∗∗∗ Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft ∗∗∗ --------------------------------------------- XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool --------------------------------------------- https://www.securityweek.com/vulnerabilities-etherpad-collaboration-tool-al… ∗∗∗ Introduction to ICS Security Part 2 ∗∗∗ --------------------------------------------- An introduction to the Purdue Enterprise Reference Architecture (PERA), additional reference models, and best practices for secure ICS architectures. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-2?msc=rss ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Intelligent Proximity SSL Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device (Version: 1.1 Description: Added fixed releases.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device that results in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the software cryptography module handles specific types of [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Schadcode-Lücken im Netzwerkbetriebssystem Junos OS geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten unter anderem Router und Switches von Juniper attackieren. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6140423 ∗∗∗ WordPress-Plugin: WooCommerce schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- WordPress hat nach dem Veröffentlichen des Patches ein automatisiertes Zwangsupdate veranlasst. Trotzdem könnten noch nicht alle Shops versorgt sein. --------------------------------------------- https://heise.de/-6140221 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040 ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-d-link.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Debian (firefox-esr), Fedora (linuxptp), Gentoo (commons-collections), Mageia (aom, firefox, python-django, thunderbird, and tpm2-tools), openSUSE (claws-mail, kernel, nodejs10, and nodejs14), Red Hat (nettle), Scientific Linux (firefox), SUSE (firefox, kernel, nodejs10, and nodejs14), and Ubuntu (libslirp and qemu). --------------------------------------------- https://lwn.net/Articles/863180/ ∗∗∗ Ypsomed mylife ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficiently Protected Credentials, Not Using an Unpredictable IV with CBC Mode, and Use of Hard-coded Credentials vulnerabilities in the Ypsomed mylife diabetes management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-196-01 ∗∗∗ Icinga: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0758 ∗∗∗ [webapps] Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50132 ∗∗∗ Security Bulletin: IBM i2 Analyze is affected by multiple DB2 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-is-affecte… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM DB2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses less secure methods for securing data at rest and in transit between hosts (CVE-2020-4980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-less… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud TierCVE-(2021-21295) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: 3RD PARTY IBM InfoSphere MDM Inspector – Cross Site Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-3rd-party-ibm-infosphere-… ∗∗∗ Security Bulletin: IBM Data Replication Support Tool Information Collection on Sybase Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-supp… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by IBM Java SDK Vulnerability (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects Collaboration and Deployment Services (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Vulnerabilities in IBM Java SDK (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Management Console Authentication Affected by Annonymous Binding (CVE-2020-4821) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-mana… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2021
by Daily end-of-shift report 15 Jul '21

15 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-07-2021 18:00 − Donnerstag 15-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Sicherheit: Immer mehr Zero-Day-Exploits bei Angriffen entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher verzeichnen immer mehr Angriffe, für die zuvor unbekannte Sicherheitslücken ausgenutzt werden. Das müsse jedoch kein schlechtes Zeichen sein, sagen die Forscher. --------------------------------------------- https://www.golem.de/news/it-sicherheit-immer-mehr-zero-day-exploits-bei-an… ∗∗∗ Attacken auf nicht mehr unterstützte Fernzugriff-Produkte von Sonicwall ∗∗∗ --------------------------------------------- Angreifer attackieren derzeit nicht mehr im Support befindliche Sonicwall Secure Mobile Access und Secure Remote Access mit Ransomware. --------------------------------------------- https://heise.de/-6139330 ∗∗∗ Grüner Pass – worauf Sie achten müssen! ∗∗∗ --------------------------------------------- Seit Kurzem kann man mit dem "Grünen Pass" digital nachweisen, dass man geimpft, getestet oder genesen ist. Aber was ist der "Grüne Pass" und wie kann dieser genutzt werden? Der "Grüne Pass" kann in unterschiedlichen Formen genutzt werden: ausgedruckt, via App, als Foto etc. Wir zeigen Ihnen, wie Sie zu diesem kommen und worauf Sie achten sollten. --------------------------------------------- https://www.watchlist-internet.at/news/gruener-pass-worauf-sie-achten-muess… ∗∗∗ Ransomware: Interpol warnt vor exponentiellen Wachstum ∗∗∗ --------------------------------------------- Cyberkriminelle agieren laut Interpol über Grenzen hinweg und bleiben dabei meist ungestraft. Die Polizeibehörde befürchtet ohne eine Zusammenarbeit zwischen Ermittlern und Privatwirtschaft eine "Ransomware-Pandemie". --------------------------------------------- https://www.zdnet.de/88395786/ransomware-interpol-warnt-vor-exponentiellen-… ∗∗∗ BazarBackdoor sneaks in through nested RAR and ZIP archives ∗∗∗ --------------------------------------------- Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-thro… ∗∗∗ Linux version of HelloKitty ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMwares ESXi virtual machine platform for maximum damage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-… ∗∗∗ USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th) ∗∗∗ --------------------------------------------- Phishing... at least they don't understand security any better than most kids. The latest example is a simple USPS phish. The lure is an email claiming that a package can not be delivered until I care to update my address. Urgency... and obvious action. They learned something in their phishing 101 class. --------------------------------------------- https://isc.sans.edu/diary/rss/27630 ∗∗∗ An Overview of Basic WordPress Hardening ∗∗∗ --------------------------------------------- We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress is no exception. While there are a plethora of different ways that site owners can lock down their website, in this post we are going to review the most basic hardening mechanisms that WordPress website owners can employ to improve their security. We will also review the pros and cons of these different tactics. --------------------------------------------- https://blog.sucuri.net/2021/07/basic-wordpress-hardening.html ∗∗∗ macOS: Bashed Apples of Shlayer and Bundlore ∗∗∗ --------------------------------------------- The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a plague of adware strains—Shlayer and Bundlore. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS. --------------------------------------------- https://www.uptycs.com/blog/macos-bashed-apples-of-shlayer-and-bundlore ∗∗∗ Gasket and MagicSocks Tools Install Mespinoza Ransomware ∗∗∗ --------------------------------------------- As cyber extortion flourishes, ransomware gangs are constantly changing tactics and business models to increase the chances that victims will pay increasingly large ransoms. As these criminal organizations become more sophisticated, they are increasingly taking on the appearance of professional enterprises. --------------------------------------------- https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mes… ∗∗∗ CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses ∗∗∗ --------------------------------------------- Original release date: July 14, 2021CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors. Compromises of MSPs—such as with the recent [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/14/cisa-insights-gui… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44846 - OpenSSL Security Advisory CVE-2021-23841 ∗∗∗ --------------------------------------------- On February 16 2021, the OpenSSL project announced a new security advisory. These issues may affect Pulse Secure product. [...] Pulse Secure is currently evaluating the following issues reported by OpenSSL: As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat am 14.7.2021 32 Security Advisories mit folgenden Severity Levels veröffentlicht: 12x Medium, 15x High, 5x Critical --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. R-SeeNet is the software system used for monitoring Advantech routers. [...] Talos is disclosing these vulnerabilities despite no official update from Advantech inside the 90-day deadline, as outlined in Cisco’s vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-r-see-net.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and php7.0), Fedora (firefox, mingw-djvulibre, and seamonkey), Gentoo (fluidsynth, openscad, and urllib3), openSUSE (ffmpeg, nodejs12, and sqlite3), Red Hat (firefox), and SUSE (ffmpeg, kernel, nodejs10, nodejs12, nodejs14, and sqlite3). --------------------------------------------- https://lwn.net/Articles/863001/ ∗∗∗ Lenovo Working on Patches for BIOS Vulnerabilities Affecting Many Laptops ∗∗∗ --------------------------------------------- Lenovo this week published information on three vulnerabilities that impact the BIOS of two of its desktop products and approximately 60 laptop and notebook models. --------------------------------------------- https://www.securityweek.com/lenovo-working-patches-bios-vulnerabilities-af… ∗∗∗ Kubernetes: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0751 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by vulnerability in Java SE (CVE-2020-14579)( CVE-2020-14578)(CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Compare and Comply for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-compare-and-co… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Apache Commons ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Eclipse Jetty ( CVE-2021-28163, CVE-2021-28165, CVE-2020-27223) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a specially-crafted sequence of serialized objects(CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2021
by Daily end-of-shift report 14 Jul '21

14 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-07-2021 18:00 − Mittwoch 14-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Updated Joker Malware Floods into Android Apps ∗∗∗ --------------------------------------------- The Joker premium billing-fraud malware is back on Google Play in a fresh onslaught, with an updated bag of tricks to evade scanners. --------------------------------------------- https://threatpost.com/updated-joker-malware-android-apps/167776/ ∗∗∗ Cybercrime-Bande REvil von der Bildfläche verschwunden ∗∗∗ --------------------------------------------- Die Kriminellen erpressten über 1000 Firmen, deren Daten sie mit dem Kaseya-Lieferketten-Angriff verschlüsselten. Jetzt sind ihre Server nicht mehr erreichbar. --------------------------------------------- https://heise.de/-6137119 ∗∗∗ Identitätsdiebstahl statt Darlehen: Schließen Sie keinen Kredit auf 1superkredit.com und kredit-united.com ab! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach einem Kredit? Dann stoßen Sie womöglich auf die Webseiten 1superkredit.com oder kredit-united.com. Zwei Webseiten, die einiges gemeinsam haben: Die Webseiten sehen sehr ähnlich aus, bewerben Kredite zu günstigen Bedingungen und hinter beiden Seiten stecken BetrügerInnen. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-darlehen-… ∗∗∗ CISA Releases Analysis of FY20 Risk and Vulnerability Assessments ∗∗∗ --------------------------------------------- CISA has released an analysis and infographic detailing the findings from the Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall warns of critical ransomware risk to SMA 100 VPN appliances ∗∗∗ --------------------------------------------- SonicWall has issued an "urgent security notice" warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Authentication bypass & Remote code Execution bei Schneider Electric EVlink Ladestationen ∗∗∗ --------------------------------------------- Schneider Electric Ladestationen für E-Autos der "EVlink" Serie sind von zwei Schwachstellen betroffen die es einem Angreifer ermöglichen das System zu übernehmen und dort beliebige Befehle auszuführen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Microsoft-Patchday: Angreifer nutzen vier Sicherheitslücken in Windows aus ∗∗∗ --------------------------------------------- Microsoft schließt unter anderem kritische Schadcode-Lücken in der Schutzlösung Windows Defender. Neben aktiven Angriffen könnten weitere Attacken bevorstehen. --------------------------------------------- https://heise.de/-6137050 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Bridge, Illustrator & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Adobe-Anwendungen. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6137110 ∗∗∗ Patchday SAP: Angreifer könnten unberechtigt auf NetWeaver zugreifen ∗∗∗ --------------------------------------------- Der Softwarehersteller SAP schließt mehrere Sicherheitslücken in seinem Portfolio. --------------------------------------------- https://heise.de/-6137467 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xstream), Debian (linuxptp), Fedora (glibc and krb5), Gentoo (pillow and thrift), Mageia (ffmpeg and libsolv), openSUSE (kernel and qemu), SUSE (kernel), and Ubuntu (php5, php7.0). --------------------------------------------- https://lwn.net/Articles/862855/ ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released a total of two dozen advisories covering roughly 100 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Bulletin: Unrestricted document type definition vulnerability affects IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unrestricted-document-typ… ∗∗∗ Security Bulletin: A security vulnerability was fixed in IBM Security Access Manager and IBM Security Verify Access Docker containers ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Verify Access Docker container ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache PDFBox Vulnerabilities Affect IBM Control Center (CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-vulnerabili… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0015.html ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-01 ∗∗∗ Schneider Electric SCADApack RTU, Modicon Controllers, and Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2021
by Daily end-of-shift report 13 Jul '21

13 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-07-2021 18:00 − Dienstag 13-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trickbot Activity Increases; new VNC Module On the Radar ∗∗∗ --------------------------------------------- Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. --------------------------------------------- https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-m… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf fewolio.de ∗∗∗ --------------------------------------------- fewolio.de ist eine unseriöse Buchungsplattform für luxuriöse Ferienhäuser in Deutschland. Die betrügerische Plattform sticht vor allem durch ihre günstigen Preise und kurzfristigen Verfügbarkeiten hervor. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheit: Neue Sicherheitslücke bei Solarwinds ∗∗∗ --------------------------------------------- Bei einer Dateiaustausch-Software von Solarwinds gab es Probleme. Ein Angreifer hat die Sicherheitslücke offenbar aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/it-sicherheit-neue-sicherheitsluecke-bei-solarwin… ∗∗∗ ModiPwn ∗∗∗ --------------------------------------------- Armis researchers discover a critical vulnerability in Schneider Electric Modicon PLCs. The vulnerability can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs. --------------------------------------------- https://www.armis.com/research/modipwn/ ∗∗∗ Siemens Security Advisories 2021-07-13 ∗∗∗ --------------------------------------------- Siemens hat 18 neue und 5 aktualisierte Security Advisories veröffentlicht. (CVSS Scores von 5.3 bis 9.8) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html ∗∗∗ Citrix Virtual Apps and Desktops Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX319750 ∗∗∗ Examining Crypto and Bypassing Authentication in Schneider Electric PLCs (M340/M580) ∗∗∗ --------------------------------------------- What you see in the picture above is similar to what you might see at a factory, plant, or inside a machine. At the core of it is Schneider Electric’s Modicon M340 programmable logic controller (PLC). --------------------------------------------- https://medium.com/tenable-techblog/examining-crypto-and-bypassing-authenti… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip). --------------------------------------------- https://lwn.net/Articles/862767/ ∗∗∗ Recently Patched ForgeRock AM Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- Government agencies in the United States and Australia warn organizations that a recently patched vulnerability affecting ForgeRock Access Management has been exploited in the wild. --------------------------------------------- https://www.securityweek.com/recently-patched-forgerock-am-vulnerability-ex… ∗∗∗ ZDI-21-786: Trend Micro Apex One Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-786/ ∗∗∗ ZDI-21-789: (0Day) GoPro Player MOV File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-789/ ∗∗∗ ZDI-21-788: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-788/ ∗∗∗ ZDI-21-787: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-787/ ∗∗∗ SAP Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0734 ∗∗∗ Security Bulletin: A vulnerability was found in Oniguruma 6.9.2 that would result in a NULL Pointer Dereference, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-found… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where insecure http communications is used ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-out-of-bounds-read-vul… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where an error message may disclose implementation details ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications v4.3 does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 which may allow a malicious attacker to obtain sensitive user information from memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerabilty has been found in x/test pacakge before 0.3.3 for Go that could lead to an infinite loop, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-has-been-f… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes the possibility of a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ VMSA-2021-0014 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0014.html ∗∗∗ glibc vulnerability CVE-2020-27618 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08641512 ∗∗∗ Apache Cassandra vulnerability CVE-2020-13946 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36212405 ∗∗∗ Apache Tomcat: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0733 ∗∗∗ Icinga: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0732 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/adobe-releases-se… ∗∗∗ Security Advisories SYSS-2021-022, SYSS-2021-023, SYSS-2021-025 und SYSS-2021-026 zu P&I-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/security-advisories-syss-2021-022-syss-202… ∗∗∗ SYSS-2021-020, SYSS-2021-021, SYSS-2021-027: Mehrere Schwachstellen in Element-IT HTTP Commander ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-020-syss-2021-021-syss-2021-027-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2021
by Daily end-of-shift report 12 Jul '21

12 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-07-2021 18:00 − Montag 12-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Conti Unpacked | Understanding Ransomware Development As a Response to Detection ∗∗∗ --------------------------------------------- Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. [...] In this report, we describe in unprecedented detail the rapid evolution of this ransomware and how it has adapted quickly to defenders’ attempts to detect and analyze it. --------------------------------------------- https://labs.sentinelone.com/conti-unpacked-understanding-ransomware-develo… ∗∗∗ Ransomware tracker: the latest figures ∗∗∗ --------------------------------------------- Ransomware attacks have been dominating the headlines, thanks to high-profile incidents against organizations including Colonial Pipeline, JBS, and Kaseya. But an analysis of attacks against certain sectors shows that not all industries are impacted to the same degree... --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 ∗∗∗ --------------------------------------------- UPDATE July 10, 2021: NOTE: This security vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 ∗∗∗ Jetzt patchen! Sicherheitspatch schließt REvil-Lücke in Kaseya VSA ∗∗∗ --------------------------------------------- Admins sollten die IT-Management-Software VSA von Kaseya zügig aktualisieren. Angreifer nutzen derzeit mehrere Sicherheitslücken aus. --------------------------------------------- https://heise.de/-6134473 ∗∗∗ SECURITY BULLETIN: Trend Micro Worry-Free Business Security Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services that resolve an incorrect permission assignment denial-of-service vulnerability. --------------------------------------------- https://success.trendmicro.com/solution/000286856 ∗∗∗ Security updates for Saturday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gitlab, nodejs, openexr, php, php7, rabbitmq, ruby-addressable, and spice), Fedora (suricata), Gentoo (binutils, docker, runc, and tor), Mageia (avahi, botan2, connman, gstreamer1.0-plugins, htmldoc, jhead, libcroco, libebml, libosinfo, openexr, php, php-smarty, pjproject, and python), openSUSE (apache2, bind, bouncycastle, ceph, containerd, docker, runc, cryptctl, curl, dovecot23, firefox, graphviz, gstreamer-plugins-bad, java-1_8_0-openj9, java-1_8_0-openjdk, libass, libjpeg-turbo, libopenmpt, libqt5-qtwebengine, libu2f-host, libwebp, libX11, lua53, lz4, nginx, ovmf, postgresql10, postgresql12, python-urllib3, qemu, roundcubemail, solo, thunderbird, ucode-intel, wireshark, and xterm), and SUSE (permissions). --------------------------------------------- https://lwn.net/Articles/862487/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (djvulibre), Gentoo (connman, gnuchess, openexr, and xen), openSUSE (arpwatch, avahi, dbus-1, dhcp, djvulibre, freeradius-server, fribidi, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, gupnp, hivex, icinga2, jdom2, jetty-minimal, kernel, kubevirt, libgcrypt, libnettle, libxml2, openexr, openscad, pam_radius, polkit, postgresql13, python-httplib2, python-py, python-rsa, qemu, redis, rubygem-actionpack-5_1, salt, snakeyaml, squid, tpm2.0-tools, and xstream), Red Hat (xstream), and SUSE (bluez, csync2, dbus-1, jdom2, postgresql13, redis, slurm_20_11, and xstream). --------------------------------------------- https://lwn.net/Articles/862673/ ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a cross-site request forgery vulnerability (CVE-2020-4938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Apache CXF Vulnerability Affects IBM Global Mailbox (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2020-27618) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Event Streams documentation for generating .p12 files incorrectly adds the CA key into the file (CVE-2021-29792) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-event-streams-documentati… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Tivoli Netcool/OMNIbus WebGUI (CVE-2021-29803, CVE-2021-29804, CVE-2021-29805, CVE-2021-29822) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by Mozilla Network Security Services (NSS) vulnerability (CVE-2020-25648) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Critical ForgeRock Access Management Vulnerability ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgeroc… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2021
by Daily end-of-shift report 09 Jul '21

09 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-07-2021 18:00 − Freitag 09-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kaseya warns of phishing campaign pushing fake security updates ∗∗∗ --------------------------------------------- Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaseya-warns-of-phishing-cam… ∗∗∗ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability ∗∗∗ --------------------------------------------- On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/07/08/clarified-guidance-for-cve-2… ∗∗∗ Hancitor tries XLL as initial malware file, (Fri, Jul 9th) ∗∗∗ --------------------------------------------- On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead. --------------------------------------------- https://isc.sans.edu/diary/rss/27618 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Business Process Automation ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Produkte Patches veröffentlicht, die mehrere Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-6133522 ∗∗∗ ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks ∗∗∗ --------------------------------------------- The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports. --------------------------------------------- https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-tech… ∗∗∗ CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict ∗∗∗ --------------------------------------------- In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-… ∗∗∗ Ransomwhere project wants to create a database of past ransomware payments ∗∗∗ --------------------------------------------- A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem. --------------------------------------------- https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd). --------------------------------------------- https://lwn.net/Articles/862299/ ∗∗∗ Rockwell Automation MicroLogix 1100 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation MicroLogix 1100. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01 ∗∗∗ MDT AutoSave ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, SQL Injection, Relative Path Traversal, Command Injection, Uncontrolled Search Path Element, Generation of Error Message Containing Sensitive Information, and Unrestricted Upload of File with Dangerous Type in MDT Software in MDT Autosave Products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-02 ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- BOSCH-SA-475180: The control systems SYNAX, Visual Motion, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contain PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published a security bulletin (1) about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets which may result in a denial of service condition or allow in worst case remote code execution. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-475180.html ∗∗∗ voidtools "Everything" vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN68971465/ ∗∗∗ Apache Pulsar vulnerability CVE-2021-22160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68146245 ∗∗∗ Apache vulnerability CVE-2021-30641 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13815051 ∗∗∗ Advisory: Denial of service vulnerability on Automation Runtime webserver ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16254055… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to a denial of service vulnerability in Angular.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Solr ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2021
by Daily end-of-shift report 08 Jul '21

08 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-07-2021 18:00 − Donnerstag 08-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iCloud-Problem erlaubte Password-Brute-Force – Apple streitet mit Entdecker ∗∗∗ --------------------------------------------- Einem Sicherheitsexperten gelang es, über eine Race Condition und zahlreiche IPs bestimmte Apple-IDs zurückzusetzen. Angeblich waren auch iPhone-PINs bedroht. --------------------------------------------- https://heise.de/-6120219 ∗∗∗ Vorsicht vor betrügerischen und unseriösen Apps! ∗∗∗ --------------------------------------------- Für das Smartphone gibt es zahlreiche Apps, die den Alltag erleichtern. Es gibt aber auch Apps, die das Leben erschweren können: Unseriöse Anwendungen entpuppen sich oftmals als teure Abo-Fallen oder als Datenkraken. Auch Apps, die die Geräte der NutzerInnen mit Schadsoftware infizieren, sind eine beliebte Masche von Cyberkriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-und-uns… ∗∗∗ Kubernetes gefährdet ∗∗∗ --------------------------------------------- Kubernetes Container und Cluster werden immer beliebter, geraten dadurch aber auch ins Visier von Hackern. Palo Alto Networks und Red Hat erläutern das unterschätzte Sicherheitsrisiko und wie Kubernetes-Instanzen zu Gefahrenherden werden. --------------------------------------------- https://www.zdnet.de/88395662/kubernetes-gefaehrdet/ ∗∗∗ Using Sudo with Python For More Security Controls, (Thu, Jul 8th) ∗∗∗ --------------------------------------------- I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! --------------------------------------------- https://isc.sans.edu/diary/rss/27614 ∗∗∗ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails ∗∗∗ --------------------------------------------- On, July 2nd, a massive ransomware attack was launched against roughly 50 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deep… ∗∗∗ Magecart Swiper Uses Unorthodox Concatenation ∗∗∗ --------------------------------------------- MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. We’ve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group. --------------------------------------------- https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenati… ∗∗∗ Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say ∗∗∗ --------------------------------------------- I pity the spool / Updated / Any celebrations that Microsofts out-of-band patch had put a stop PrintNightmare shenanigans may have been premature. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/07/07/printnightma… ∗∗∗ Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software ∗∗∗ --------------------------------------------- Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseyas customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. --------------------------------------------- https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-… ∗∗∗ 3 things the Kaseya attack can teach us about ransomware recovery ∗∗∗ --------------------------------------------- Some lessons on dealing with ransomware recovery, thanks to the admirable transparency of a Dutch MSP impacted by the REvil attack on Kaseya. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack… ∗∗∗ Non-Malicious Android Crypto Mining Apps Scam Users at Scale ∗∗∗ --------------------------------------------- With no bad behavior, the mobile apps are difficult to detect by automated security scans --------------------------------------------- https://www.securityweek.com/non-malicious-android-crypto-mining-apps-scam-… ∗∗∗ Ransomware as a service: Negotiators are now in high demand ∗∗∗ --------------------------------------------- RaaS groups are hiring negotiators whose primary role is to force victims to pay up. --------------------------------------------- https://www.zdnet.com/article/ransomware-as-a-service-negotiators-between-h… ∗∗∗ Global Phishing Campaign Targets Energy Sector and its Suppliers ∗∗∗ --------------------------------------------- Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. --------------------------------------------- https://www.intezer.com/blog/research/global-phishing-campaign-targets-ener… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Patchday Juli ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0725 ∗∗∗ Angreifer können Sicherheitslücken in Ressourcenplanungstool Sage X3 kombinieren ∗∗∗ --------------------------------------------- Systeme mit Sage X3 sind unter anderem über eine kritische Schwachstelle mit Höchstwertung attackierbar. --------------------------------------------- https://heise.de/-6132418 ∗∗∗ Vulnerability Spotlight: Information disclosure, privilege escalation vulnerabilities in IOBit Advanced SystemCare Ultimate ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. IOBit Advanced SystemCare Ultimate is a system optimizer that promises to remove unwanted files and [...] --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-iobit0-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi). --------------------------------------------- https://lwn.net/Articles/862163/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisco-releases-se… ∗∗∗ Kaseya VSA Limited Disclosure ∗∗∗ --------------------------------------------- Why we are only disclosing limited details on the Kaseya vulnerabilities / Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and [...] --------------------------------------------- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ ∗∗∗ Security Bulletin: CVE-2021-28165 In Eclipse Jetty CPU usage can reach 100% upon receiving a large invalid TLS frame. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-28165-in-eclipse… ∗∗∗ Security Bulletin: CVE-2021-27568 An issue was discovered in netplex json-smart-v1, an exception is thrown from a function ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-27568-an-issue-w… ∗∗∗ Security Bulletin: CVE-2021-29711 Agent Upgrade through CLI requires inconsistent permission. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-29711-agent-upgr… ∗∗∗ Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-websph… ∗∗∗ Security Bulletin: CVE-2020-27223 when Jetty handles a request containing multiple Accept headers the server may enter a denial of service (DoS) state ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-27223-when-jetty… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2021
by Daily end-of-shift report 07 Jul '21

07 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-07-2021 18:00 − Mittwoch 07-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ WildPressure targets the macOS platform ∗∗∗ --------------------------------------------- We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS. --------------------------------------------- https://securelist.com/wildpressure-targets-macos/103072/ ∗∗∗ Why I Love (Breaking Into) Your Security Appliances ∗∗∗ --------------------------------------------- David "moose" Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to "pick one lock" to invade an enterprise through them. --------------------------------------------- https://threatpost.com/breaking-into-security-appliances/167584/ ∗∗∗ Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform ∗∗∗ --------------------------------------------- An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. --------------------------------------------- https://thehackernews.com/2021/07/dozens-of-vulnerable-nuget-packages.html ∗∗∗ Fake-Shops für Fahrräder und E-Bikes haben Saison! ∗∗∗ --------------------------------------------- Auf bike-heller.de und mister24bike.de wird ein riesiges Sortiment an Fahrrädern und E-Bikes lagernd und sofort lieferbar angeboten. Allein das sollte stutzig machen, da viele seriöse Händler mitten in der Saison schon ausverkauft sind. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-fahrraeder-und-e-bik… ∗∗∗ Understanding REvil: The Ransomware Gang Behind the Kaseya Attack ∗∗∗ --------------------------------------------- Ransomware cases worked by Unit 42 consultants in the first six months of 2021 reveal insights into the preferred tactics of REvil threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/revil-threat-actors/ ∗∗∗ Update - Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In Folge dieses Vorfalls ist nun auch eine Spam-Kampagne, welche Schadsoftware (Cobalt Strike) im Anhang ausliefert und vorgibt, ein legitimes Update für Kaseya VSA zu sein, in Erscheinung getreten. --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ How to Tighten IoT Security for Healthcare Organization ∗∗∗ --------------------------------------------- This post will first explore some of the ways IoT is revolutionizing medical care, then identify some of the potential problems posed by connected devices in a medical setting. --------------------------------------------- https://blog.checkpoint.com/2021/06/21/how-to-tighten-iot-security-for-heal… ===================== = Vulnerabilities = ===================== ∗∗∗ Printnightmare: Erste Patches für Windows-Sicherheitslücke ∗∗∗ --------------------------------------------- Durch ein Problem mit dem Windows-Druck-Spooler können Angreifer Code aus der Ferne ausführen. Erste Patches stehen bereit, aber noch nicht für alles. (Windows, Drucker) --------------------------------------------- https://www.golem.de/news/printnightmare-erste-patches-fuer-windows-sicherh… ∗∗∗ Kasperskys Passwort-Manager gefährdete Benutzer mit ratbaren Passwörtern ∗∗∗ --------------------------------------------- Wegen einer gründlich verpatzten Umsetzung ließen sich die vom Kaspersky Passwort-Manager vorgeschlagenen, scheinbar zufälligen Passwörter einfach erraten. --------------------------------------------- https://heise.de/-6130796 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (glibc), Gentoo (doas, firefox, glib, schismtracker, and tpm2-tss), Mageia (httpcomponents-client), openSUSE (virtualbox), Red Hat (linuxptp), Scientific Linux (linuxptp), and Ubuntu (libuv1 and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/862044/ ∗∗∗ This serious Wi-Fi bug can break your iPhone, but heres how to protect yourself ∗∗∗ --------------------------------------------- Walking past a Wi-Fi hotspot with a specific name can cause big problems for your iPhone. And the scary thing is that its easy to do. --------------------------------------------- https://www.zdnet.com/article/serious-wi-fi-bug-can-break-your-iphone-but-h… ∗∗∗ Security Advisory - Bluetooth Function Denial of Service Vulnerability in Some Huawei Smartphone Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210707-… ∗∗∗ Security Bulletin: Netty Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache JSON Small and Fast Parser (json-smart) and Underscore affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a privileged user to obtain sensitive information from internal log files (CVE-2021-29759) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by a ReDoS flaw when processing URLs (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Castor Vulnerability Affects IBM Control Center (CVE-2014-3004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-castor-vulnerability-affe… ∗∗∗ Security Bulletin: Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2020-29652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-golang-go-vulnerability-a… ∗∗∗ Security Bulletin: Vulnerabilities in the Python, Python cryptography , and Urllib3 affect IBM Spectrum Discover. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-py… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to underscore vulnerability (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Control Center (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Philips Vue PACS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01 ∗∗∗ Moxa NPort IAW5000A-I/O Series Serial Device Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-187-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2021
by Daily end-of-shift report 06 Jul '21

06 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 05-07-2021 18:00 − Dienstag 06-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to protect your site against lethal unauthorized code injections ∗∗∗ --------------------------------------------- Lethal unauthorized code injections like XXS (cross site scripting) attacks are some of the most dynamic cyber-attacks. They are often very difficult to detect and can result in credit card theft, fraud, and endpoint data breaches, having a huge impact on small to medium sized businesses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-protect-your… ∗∗∗ Python DLL Injection Check, (Tue, Jul 6th) ∗∗∗ --------------------------------------------- They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. --------------------------------------------- https://isc.sans.edu/diary/rss/27608 ∗∗∗ Kaseya VSA: Wie die Lieferketten-Angriffe abliefen und was sie für uns bedeuten ∗∗∗ --------------------------------------------- Auch wer nicht davon betroffen ist, sollte sich klarmachen, was da gerade geschieht. Denn Angriffe wie der aktuelle REvil-Coup werden die IT-Welt verändern. --------------------------------------------- https://heise.de/-6129656 ∗∗∗ Kaseya Case Update 3 ∗∗∗ --------------------------------------------- Since the first signs of an incident last Friday evening the DIVD has continued to monitor the internet for instances of Kaseya VSA that remained online. We are happy to report a steady decrease in the number of online servers. --------------------------------------------- https://csirt.divd.nl/2021/07/06/Kaseya-Case-Update-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentified RFI to RCE Nagios/NagiosXI exploitation ∗∗∗ --------------------------------------------- An authenticated attacker may remotely inject and execute arbitrary code in Nagios and Nagios XI products. --------------------------------------------- https://github.com/ArianeBlow/NagiosXI-EmersonFI ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (python-django), Debian (libuv1, libxstream-java, and php7.3), Fedora (rabbitmq-server), Gentoo (glibc, google-chrome, libxml2, and postsrsd), openSUSE (libqt5-qtwebengine and roundcubemail), SUSE (python-rsa), and Ubuntu (djvulibre). --------------------------------------------- https://lwn.net/Articles/861972/ ∗∗∗ [20210705] - Core - XSS in com_media imagelist ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/860-20210705-core-xss-in-c… ∗∗∗ [20210704] - Core - Privilege escalation through com_installer ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/859-20210704-core-privileg… ∗∗∗ [20210703] - Core - Lack of enforced session termination ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/858-20210703-core-lack-of-… ∗∗∗ [20210702] - Core - DoS through usergroup table manipulation ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/857-20210702-core-dos-thro… ∗∗∗ [20210701] - Core - XSS in JForm Rules field ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/856-20210701-core-xss-in-j… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0719 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0718 ∗∗∗ QNAP NAS HBS 3: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0717 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2021
by Daily end-of-shift report 05 Jul '21

05 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-07-2021 18:00 − Montag 05-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In den Medien wird aktuell über einen Ransomwarevorfall, welcher eine große Anzahl an Firmen betrifft, berichtet 1 2. Folgend diesen Berichten gelang es der Ransomware-Gruppe "REvil" über das Einschleusen von Code in die Software-Lösung "Kaseya VSA", welche zum Remote-Monitoring und -Management für IT bei Managed Service Providern (MSP) eingesetzt wird, die Ransomware "Sodinokibi" automatisiert an die MSPs und somit auch an deren Kunden --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- Update 7/5/2021: Security researcher cube0x0 discovered another attack vector for this vulnerability, which significantly expands the set of affected machines. While the original attack vector was Print System Remote Protocol [MS-RPRN], the same attack delivered via Print System Asynchronous Remote Protocol [MS-PAR] does not require Windows server to be a domain controller, or Windows 10 machine to have UAC User Account Control disabled or PointAndPrint NoWarningNoElevationOnInstall enabled. --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Another 0-Day Looms for Many Western Digital Users ∗∗∗ --------------------------------------------- Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who cant or wont upgrade to the latest operating system. --------------------------------------------- https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-di… ∗∗∗ Spam per Termineinladung: So schützen Sie sich! ∗∗∗ --------------------------------------------- Sie haben plötzlich im Lotto gewonnen. Jemand will Ihnen aus reiner Nächstenliebe Geld spenden. Außerdem müssen Sie unbedingt auf dieser einen Trading-Plattform investieren. Gewinne garantiert! Viele von uns kennen solche Versprechungen wohl. Spam-Mails sind nichts Neues mehr. Daher überlegen sich Kriminelle immer wieder neue Möglichkeiten, um an das Geld ihrer Opfer zu kommen. Derzeit sehr beliebt: Kalender-Spam! --------------------------------------------- https://www.watchlist-internet.at/news/spam-per-termineinladung-so-schuetze… ∗∗∗ Telnet service left enabled and without a password on SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- Siemens SIMATIC HMI Comfort Panels, devices meant to provide visualization of data received from industrial equipment, are exposing their Telnet service without any form of authentication, security researchers have discovered. Tracked as CVE-2021-31337, the vulnerability was revealed earlier this week. All SIMATIC HMI Comfort Panels models are believed to be impacted, except panels for SINAMICS Medium Voltage Products (SL150, SM150, and SM150i), where the Telnet service is disabled by default. --------------------------------------------- https://therecord.media/telnet-service-left-enabled-and-without-a-password-… ∗∗∗ MISP 2.4.145 and 2.4.146 released (Improved warning-lists) ∗∗∗ --------------------------------------------- MISP 2.4.145 and 2.4.146 released including a massive update to the MISP warning-lists, various improvements and security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.145 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-779: Advantech WebAccess Node BwFreRPT Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-779/ ∗∗∗ ZDI-21-778: Advantech WebAccess Node BwImgExe Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-778/ ∗∗∗ ZDI-21-777: Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-777/ ∗∗∗ ZDI-21-776: Autodesk Design Review DWF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-776/ ∗∗∗ ZDI-21-775: Autodesk Design Review DWFX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-775/ ∗∗∗ ControlTouch serial number can be misused to access customer configuration ∗∗∗ --------------------------------------------- ABB is aware of a privately reported vulnerability in the ControlTouch cloud subsystem. The cloud sub-system is updated to remove the vulnerability. An attacker who successfully exploited this vulnerability could modify the configuration of the ControlTouch of an authorized user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A3688&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa). --------------------------------------------- https://lwn.net/Articles/861906/ ∗∗∗ Ricon Industrial Cellular Router S9922XL Remote Command Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php ∗∗∗ GNU C Library (glibc) vlunerability CVE-2016-10228 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52494142?utm_source=f5support&utm_mediu… ∗∗∗ Advisory: Denial of Service vulnerability in B&R Industrial Automation PROFINET IO Device ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… ∗∗∗ Advisory: Stack crash in B&R Industrial Automation X20 EthernetIP Adpater ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily