- Daily - CERT.at

Tageszusammenfassung - 16.12.2021
by Daily end-of-shift report 16 Dec '21

16 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-12-2021 18:00 − Donnerstag 16-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Large-scale phishing study shows who bites the bait more often ∗∗∗ --------------------------------------------- A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-s… ∗∗∗ Emotet starts dropping Cobalt Strike again for faster attacks ∗∗∗ --------------------------------------------- Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobal… ∗∗∗ Hive ransomware enters big league with hundreds breached in four months ∗∗∗ --------------------------------------------- The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-l… ∗∗∗ A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution ∗∗∗ --------------------------------------------- Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-cl… ∗∗∗ PseudoManuscrypt: a mass-scale spyware attack campaign ∗∗∗ --------------------------------------------- Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal. --------------------------------------------- https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaig… ∗∗∗ 'DarkWatchman' RAT Shows Evolution in Fileless Malware ∗∗∗ --------------------------------------------- The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access. --------------------------------------------- https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/ ∗∗∗ How the "Contact Forms" campaign tricks people, (Thu, Dec 16th) ∗∗∗ --------------------------------------------- "Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint. --------------------------------------------- https://isc.sans.edu/diary/rss/28142 ∗∗∗ Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren ∗∗∗ --------------------------------------------- Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke. --------------------------------------------- https://heise.de/-6296549 ∗∗∗ When is a Scrape a Breach? ∗∗∗ --------------------------------------------- A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach? --------------------------------------------- https://www.troyhunt.com/when-is-a-scrape-a-breach/ ∗∗∗ Achtung: giesswein-outdoor.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-giesswein-outdoorde-ist-ein-… ∗∗∗ The dirty dozen of Latin America: From Amavaldo to Zumanek ∗∗∗ --------------------------------------------- The grand finale of our series dedicated to demystifying Latin American banking trojans. --------------------------------------------- https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavald… ∗∗∗ Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware ∗∗∗ --------------------------------------------- New ransomware used in mid-November attack, ConnectWise was likely infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions ∗∗∗ --------------------------------------------- Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address. --------------------------------------------- https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo laptops vulnerable to bug allowing admin privileges ∗∗∗ --------------------------------------------- Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lenovo-laptops-vulnerable-to… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble). --------------------------------------------- https://lwn.net/Articles/878844/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-714170.txt ∗∗∗ TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2021-004 ∗∗∗ TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2021-003 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1290 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2021
by Daily end-of-shift report 15 Dec '21

15 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-12-2021 18:00 − Mittwoch 15-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ransomware now being deployed in Log4Shell attacks ∗∗∗ --------------------------------------------- The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-dep… ∗∗∗ Simple but Undetected PowerShell Backdoor, (Wed, Dec 15th) ∗∗∗ --------------------------------------------- For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is another example with a simple but effective PowerShell backdoor that I spotted yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/28138 ∗∗∗ GitHubs Antwort auf die kritische Log4j-Lücke ∗∗∗ --------------------------------------------- Zu der kritischen Sicherheitslücke im Log4j-Logging-Framework hat der Code-Hoster Sicherheitshinweise veröffentlicht. Ein Update auf Log4j 2.16 schafft Abhilfe. --------------------------------------------- https://heise.de/-6294120 ∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗ --------------------------------------------- 15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viele schätzt SAP als hohes oder gar kritisches Risiko ein. --------------------------------------------- https://heise.de/-6294773 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Experience Manager & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe. In einigen Fällen könnten Angreifer Schadcode auf Computern ausführen. --------------------------------------------- https://heise.de/-6295316 ∗∗∗ Patchday: Sechs Windows-Lücken öffentlich bekannt, durch eine schlüpft Emotet ∗∗∗ --------------------------------------------- Microsoft schließt zahlreiche Sicherheitslücken in beispielsweise Azure, Office und Windows. Darunter sind auch als kritisch eingestufte Lücken. --------------------------------------------- https://heise.de/-6295264 ∗∗∗ Neue Probleme - Log4j-Patch genügt nicht ∗∗∗ --------------------------------------------- Version 2.15.0 von Log4j sollte die Log4Shell-Sicherheitslücke schließen. Das reichte jedoch nicht. Log4j 2.16.0 behebt nun noch eine weitere Schwachstelle. --------------------------------------------- https://heise.de/-6295343 ∗∗∗ Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks ∗∗∗ --------------------------------------------- CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/15/immediate-steps-s… ∗∗∗ No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages ∗∗∗ --------------------------------------------- NPM modules are a valuable target for threat actors due to their popularity amongst developers. They also have a high prevalence of complex dependencies, where one package installs another as a dependency often without the knowledge of the developer. --------------------------------------------- https://www.mandiant.com/resources/supply-chain-node-js ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) ∗∗∗ --------------------------------------------- After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported in CVE-2021-45046. --------------------------------------------- https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Apache Log4J information, WebSphere Application Server, i2 Analyze, i2 Connect, Analyst’s Notebook Premium, Security Access Manager, Security Verify Access, App Connect, Integration Bus, QRadar SIEM Application Framework, Sterling File Gateway, Cloud Transformation Advisor, MQ Blockchain bridge, WebSphere Cast Iron, Power System, Rational Asset Analyzer, Disconnected Log Collector, SPSS Statistics, Power HMC --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Intel Product Advisory for Apache Log4j2 Vulnerabilities (CVE-2021-44228 & CVE-2021-45046) ∗∗∗ --------------------------------------------- Security vulnerabilities in Apache Log4j2 for some Intel® products may allow escalation of privilege or denial of service. --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Apache log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- ABB is still investigating the potentially affected products and to date ABB has identified the following products which are likely affected by the vulnerabilities in log4j (ABB products not listed are initially evaluated as not impacted). --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/878749/ ∗∗∗ Security Advisory - Intel Microarchitectural Data Sampling (MDS) vulnerabilities ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20190712-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1277 ∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1282 ∗∗∗ Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500458-AUTHENTICATION-BYPASS-V… ∗∗∗ Lenovo Vantage Component Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500461-LENOVO-VANTAGE-COMPONEN… ∗∗∗ TLB Poisoning Attacks on AMD Secure Encrypted Virtualization (SEV) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500459-TLB-POISONING-ATTACKS-O… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2021
by Daily end-of-shift report 14 Dec '21

14 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 13-12-2021 18:00 − Dienstag 14-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== *** News zu Log4j *** --------------------------------------------- Log4j: List of vulnerable products and vendor advisories https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-pro… Log4J-Lücke: BSI gibt vorschnell Entwarnung für Verbraucher https://www.golem.de/news/log4j-luecke-bsi-gibt-vorschnell-entwarnung-fuer-… Log4Shell Is Spawning Even Nastier Mutations https://threatpost.com/apache-log4j-log4shell-mutations/176962/ Log4j: Getting ready for the long haul (CVE-2021-44228), (Tue, Dec 14th) https://isc.sans.edu/diary/rss/28130 Log4j 2.16.0 verbessert Schutz vor Log4Shell-Lücke https://heise.de/-6294053 Kommentar zu Log4j: Es funktioniert wie spezifiziert https://heise.de/-6294476 GitHubs Antwort auf die kritische Log4j-Lücke https://heise.de/-6294120 Security company offers Log4j vaccine for systems that cant be updated immediately https://www.zdnet.com/article/security-company-offers-log4j-vaccine-for-sys… CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 https://us-cert.cisa.gov/ncas/current-activity/2021/12/13/cisa-creates-webp… The numbers behind a cyber pandemic – detailed dive https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-… Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation https://www.intezer.com/blog/cloud-security/log4shell-mitigation/ Log4Shell log4j vulnerability (CVE-2021-44228) - cheat-sheet reference guide https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ --------------------------------------------- https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ ∗∗∗ Anubis Android malware returns to target 394 financial apps ∗∗∗ --------------------------------------------- The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/anubis-android-malware-retur… ∗∗∗ Malware und Security: Microsoft bietet Analyse potenziell gefährlicher Treiber an ∗∗∗ --------------------------------------------- Mit Hilfe eines Formulars können Kunden Treiber zu Microsoft schicken. Die werden erst automatisiert und bei Bedarf von Menschen geprüft. --------------------------------------------- https://www.golem.de/news/malware-und-security-microsoft-bietet-analyse-pot… ∗∗∗ Owowa: the add-on that turns your OWA into a credential stealer and remote access panel ∗∗∗ --------------------------------------------- We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. --------------------------------------------- https://securelist.com/owowa-credential-stealer-and-remote-access/105219/ ∗∗∗ How Malware Gets On Your Website ∗∗∗ --------------------------------------------- Almost since the Internet’s inception malware infections have kept pace to be the biggest nuisance a site owner experiences. With an ever growing amount of sites making up the World Wide Web, malware infections only become more common. In this article we’ll discuss what malware is, the various types we’ve come across, the methods used to inject malware into a site, and how you can harden/protect your site from these methods. --------------------------------------------- https://blog.sucuri.net/2021/12/how-malware-gets-on-your-website.html ∗∗∗ Gefährliche Lücken in Server-Backupsoftware IBM Spectrum Protect geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit IBM Spectrum Protect angreifen und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6294287 ∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗ --------------------------------------------- 15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viel schätzt SAP als hohes oder gar kritisches Risiko ein. --------------------------------------------- https://heise.de/-6294773 ∗∗∗ Vorsicht, wenn Ihre Internetbekanntschaft um Geld bittet ∗∗∗ --------------------------------------------- Sie haben auf einer Dating-Plattform einen Mann kennengelernt? Er ist zuvorkommend, gutaussehend und noch dazu gebildet? Es gibt nur einen Haken: Er befindet sich gerade im Ausland. Mit Ihrer finanziellen Unterstützung steht einem baldigen Treffen aber nichts im Weg. Achtung: Sie sind an einen Love-Scammer geraten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-ihre-internetbekanntsc… ∗∗∗ Apple releases Android app to find rogue AirTags ∗∗∗ --------------------------------------------- Apple has released an Android app on Monday to help Android users detect malicious nearby AirTag devices that might be used to track them. --------------------------------------------- https://therecord.media/apple-releases-android-app-to-find-malicious-airtag… ===================== = Vulnerabilities = ===================== *** Advisories zur Log4j-Schwachstelle *** --------------------------------------------- SSA-661247: Apache Log4j Vulnerability (CVE-2021-44228, Log4Shell) - Impact to Siemens Products https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt JSA11259 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11259 Vulnerability in Apache Log4j Library https://www.qnap.com/en-us/security-advisory/QSA-21-58 Apache Log4j Vulnerability https://support.lenovo.com/product_security/PS500457-APACHE-LOG4J-VULNERABI… Security Notice – Statement About Apache Log4j2 Remote Code Execution Vulnerability(CVE-2021-44228) https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20211210-01… --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20211210-01… ∗∗∗ Dell driver fix still allows Windows Kernel-level attacks ∗∗∗ --------------------------------------------- Dells driver fix of the CVE-2021-21551 vulnerability leaves margin for catastrophic BYOVD attacks resulting in Windows kernel driver code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Info about Log4Shell in IBM Products, Novalink, WebSphere Application Server, WebSphere MQ for HP NonStop Server, MQ for HP NonStop Server, Tivoli Netcool, Netezza Analytics, Netezza Host Management --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwere Sicherheitslücken in iOS und macOS: Apple-Updates bald einspielen ∗∗∗ --------------------------------------------- iOS 15.2 und macOS 12.1 beseitigen Schwachstellen, die unter anderem den Remote-Jailbreak erlaubten. Für ältere Systemversionen fehlen Patches teilweise. --------------------------------------------- https://heise.de/-6294390 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsamplerate and raptor2), Fedora (pam-u2f and python-markdown2), openSUSE (chromium, fetchmail, ImageMagick, and postgresql10), Oracle (samba), SUSE (fetchmail, postgresql10, python-pip, python3, and sles12sp2-docker-image), and Ubuntu (apache-log4j2, flatpak, glib, and samba). --------------------------------------------- https://lwn.net/Articles/878629/ ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- This advisory contains mitigations for SQL Injection, and Improper Privilege Management vulnerabilities in the Advantech R-SeeNet monitoring application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-01 ∗∗∗ Schneider Electric Rack PDU ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Schneider Electric Rack Power Distribution Unit (PDU). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02 ∗∗∗ K73710094: XSS vulnerability in undisclosed page of the NGINX Swagger UI ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73710094 ∗∗∗ ZDI-21-1536: Trend Micro Maximum Security Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1536/ ∗∗∗ ZDI-21-1535: McAfee Database Security Improper Access Control Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1535/ *** Siemens Security Advisories *** --------------------------------------------- SSA-496292: Remote Code Execution Vulnerability in POWER METER SICAM Q100 https://cert-portal.siemens.com/productcert/txt/ssa-496292.txt SSA-463116: Multiple Access Control Vulnerabilities in Siveillance Identity before https://cert-portal.siemens.com/productcert/txt/ssa-463116.txt SSA-400332: Insufficient Design IP Protection in IEEE 1735 Recommended Practice - Impact to Questa and ModelSim https://cert-portal.siemens.com/productcert/txt/ssa-400332.txt SSA-396621: Multiple File Parsing Vulnerabilities in JTTK before V10.8.1.1 and JT Utilities before V12.8.1.1 https://cert-portal.siemens.com/productcert/txt/ssa-396621.txt SSA-390195: LibVNC Vulnerabilities in SIMATIC ITC Products https://cert-portal.siemens.com/productcert/txt/ssa-390195.txt SSA-352143: Multiple File Parsing Vulnerabilities in JTTK before V11.0.3.0 and JT Utilities before V13.0.3.0 https://cert-portal.siemens.com/productcert/txt/ssa-352143.txt SSA-199605: Arbitrary File Download Vulnerability in SIMATIC eaSie PCS 7 Skill Package https://cert-portal.siemens.com/productcert/txt/ssa-199605.txt SSA-161331: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2021.3.1 https://cert-portal.siemens.com/productcert/txt/ssa-161331.txt SSA-160202: Multiple Access Control Vulnerabilities in SiPass Integrated https://cert-portal.siemens.com/productcert/txt/ssa-160202.txt SSA-133772: Zip Path Traversal Vulnerability in Teamcenter Active Workspace https://cert-portal.siemens.com/productcert/txt/ssa-133772.txt SSA-523250: Improper Certificate Validation Vulnerability in SINUMERIK Edge https://cert-portal.siemens.com/productcert/txt/ssa-523250.txt SSA-595101: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.5 https://cert-portal.siemens.com/productcert/txt/ssa-595101.txt SSA-620288: Multiple Vulnerabilities (NUCLEUS:13) in CAPITAL VSTAR https://cert-portal.siemens.com/productcert/txt/ssa-620288.txt SSA-802578: Multiple File Parsing Vulnerabilities in JTTK before V11.1.1.0 and JT Utilities before V13.1.1.0 https://cert-portal.siemens.com/productcert/txt/ssa-802578.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2021
by Daily end-of-shift report 13 Dec '21

13 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-12-2021 18:00 − Montag 13-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Schutz vor Log4j-Lücke – was hilft jetzt und was eher nicht ∗∗∗ --------------------------------------------- "Warnstufe Rot" für Anwender und Firmen, doch was bedeutet das konkret? So testen Sie Dienste auf die Log4j-Lücke und reduzieren ihr Risiko vor Angriffen. --------------------------------------------- https://heise.de/-6292961 ∗∗∗ log4j-scan ∗∗∗ --------------------------------------------- We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. --------------------------------------------- https://github.com/fullhunt/log4j-scan ∗∗∗ Ten families of malicious samples are spreading using the Log4j2 vulnerability Now ∗∗∗ --------------------------------------------- On December 11, 2021, at 8:00 pm, we published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10. --------------------------------------------- https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading… ∗∗∗ log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 ∗∗∗ --------------------------------------------- tl;dr Run add our new tool, -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes [...] --------------------------------------------- https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitiga… ∗∗∗ Malicious PyPI packages with over 10,000 downloads taken down ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers report. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with… ∗∗∗ Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group ∗∗∗ --------------------------------------------- A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, [...] --------------------------------------------- https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html ∗∗∗ HANCITOR DOC drops via CLIPBOARD ∗∗∗ --------------------------------------------- Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via… ∗∗∗ Diavol Ransomware ∗∗∗ --------------------------------------------- In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware. --------------------------------------------- https://thedfirreport.com/2021/12/13/diavol-ransomware/ ∗∗∗ Bugs in the Cloud: How One Vulnerability Exposed 'Offline' Devices to a Security Risk ∗∗∗ --------------------------------------------- The post Bugs in the Cloud: How One Vulnerability Exposed ‘Offline’ Devices to a Security Risk appeared first on Claroty. --------------------------------------------- https://claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vuln… ∗∗∗ Von wegen Darknet – Ransomware-Gangs setzen Opfer per Social Media unter Druck ∗∗∗ --------------------------------------------- Ransomware-Gruppen nutzen soziale Netzwerkkanäle, um ihre Angriffe zu bewerben und damit ihre Opfer weiter zur Lösegeldzahlung unter Druck zu setzen. --------------------------------------------- https://blog.emsisoft.com/de/39431/von-wegen-darknet-ransomware-gangs-setze… ∗∗∗ Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits ∗∗∗ --------------------------------------------- Deserialization vulnerabilities are a class of bugs that have plagued multiple languages and applications over the years. These include Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more. Fundamentally, these bugs are a result of applications placing too much trust in data that a user (or attacker) can tamper with. --------------------------------------------- https://www.mandiant.com/resources/hunting-deserialization-exploits ===================== = Vulnerabilities = ===================== ∗∗∗ Log4j Vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228). --------------------------------------------- https://github.com/NCSC-NL/log4shell ∗∗∗ VMSA-2021-0028 ∗∗∗ --------------------------------------------- [...] Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Log4j Zero-Day Vulnerability ∗∗∗ --------------------------------------------- IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90… ∗∗∗ Bugs in billions of WiFi, Bluetooth chips allow password, data theft ∗∗∗ --------------------------------------------- Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves its possible to extract passwords and manipulate traffic on a WiFi chip by targeting a devices Bluetooth component. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-blu… ∗∗∗ IBM Security Bulletins 2021-12-10 - 2021-13 ∗∗∗ --------------------------------------------- WebSphere Application Server, Rational Application Developer for WebSphere, Spectrum Copy Data Management, Tivoli Netcool, Spectrum Protect, i2 Analystss Notebook, Decision Optimization Center, ILOG CPLEX Optimization Studio, PowerVM, Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, [...] --------------------------------------------- https://lwn.net/Articles/878520/ ∗∗∗ CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirtee… ∗∗∗ Oracle Security Alert for CVE-2021-44228 - 10 December 2021 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html ∗∗∗ Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Citrix Security Advisory for Apache CVE-2021-44228 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX335705 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2021
by Daily end-of-shift report 10 Dec '21

10 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-12-2021 18:00 − Freitag 10-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps ∗∗∗ --------------------------------------------- Eine Zero-Day-Schwachstelle in Apaches Log4j ermöglicht Angreifern, etwa auf Servern von Cloud-Diensten oder in Anwendungen Schadcode einzuschmuggeln. --------------------------------------------- https://heise.de/-6291653 ∗∗∗ Dark Mirai botnet targeting RCE on popular TP-Link router ∗∗∗ --------------------------------------------- The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-… ∗∗∗ Python Shellcode Injection From JSON Data, (Fri, Dec 10th) ∗∗∗ --------------------------------------------- My hunting rules detected a niece piece of Python code. It's interesting to see how the code is simple, not deeply obfuscated, and with a very low VT score: 2/56![1]. I see more and more malicious Python code targeting the Windows environments. Thanks to the library ctypes[2], Python is able to use any native API calls provided by DLLs. --------------------------------------------- https://isc.sans.edu/diary/rss/28118 ∗∗∗ Click "OK" to defeat MFA ∗∗∗ --------------------------------------------- A sophisticated threat actor has been using a very unsophisticated method to defeat multi-factor authentication. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/12/click-ok-to-defeat-mfa/ ∗∗∗ 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs ∗∗∗ --------------------------------------------- Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/ ∗∗∗ Winterurlaub geplant? Buchen Sie nicht über dein-berghuettenurlaub.de! ∗∗∗ --------------------------------------------- Bald ist der Lockdown in Österreich vorbei. Dementsprechend freuen sich wohl schon einige auf eine Auszeit über Weihnachten oder Silvester. Was wäre aufgrund der aktuellen Corona-Lage besser geeignet als eine einsame Hütte? Doch Vorsicht, wer online eine solche Hütte buchen will, könnte auf betrügerische Seiten stoßen! --------------------------------------------- https://www.watchlist-internet.at/news/winterurlaub-geplant-buchen-sie-nich… ∗∗∗ This old malware has just picked up some nasty new tricks ∗∗∗ --------------------------------------------- The crafty Qakbot trojan has added ransomware delivery to its malware building blocks. --------------------------------------------- https://www.zdnet.com/article/this-decade-old-malware-has-picked-up-some-na… ∗∗∗ Microsoft launches center for reporting malicious drivers ∗∗∗ --------------------------------------------- Microsoft has launched this week a special web portal where users and researchers can report malicious drivers to the companys security team. --------------------------------------------- https://therecord.media/microsoft-launches-center-for-reporting-malicious-d… ∗∗∗ Twitter-Thread zur log4j-Schwachstelle ∗∗∗ --------------------------------------------- https://twitter.com/TimPhSchaefers/status/1469271197993115655 ===================== = Vulnerabilities = ===================== ∗∗∗ RCE in log4j, Log4Shell, or how things can get bad quickly, (Fri, Dec 10th) ∗∗∗ --------------------------------------------- If you have been following developments on Twitter and various other security sources, by now you have undoubtedly heard about the latest vulnerability in the very popular Apache log4j library. --------------------------------------------- https://isc.sans.edu/diary/rss/28120 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/878279/ ∗∗∗ WD Updates SanDisk SecureAccess to Prevent Dictionary, Brute Force Attacks ∗∗∗ --------------------------------------------- Western Digital has updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. --------------------------------------------- https://www.securityweek.com/wd-updates-sandisk-secureaccess-prevent-dictio… ∗∗∗ Cisco Releases Security Advisory for Multiple Products Affected by Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- Cisco has released a security advisory to address Cisco products affected by multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisco-releases-se… ∗∗∗ Schwachstellen in Oracle-Datenbankservern (SYSS-2021-061/-062) ∗∗∗ --------------------------------------------- In Oracle-Datenbankservern wurden Schwachstellen identifiziert. Sie erlauben es Angreifern, Zugang zur Datenbank von legitimen Benutzern zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-061/syss-2021-062 ∗∗∗ TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j) ∗∗∗ --------------------------------------------- CVE-2021-44228 vulnerability enables remote code injection on systems running Log4j. The attacker has to trigger a log entry generation containing a JNDI request. The vulnerability can be exploited without authentication. The exploit needs to be processed by Log4j. Impacted Log4j versions are: 2.0 to 2.14.1. --------------------------------------------- https://www.circl.lu/pub/tr-65 ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1266 ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js, IBM WebSphere Application Server Liberty, and OpenSSL affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Dec. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: The PowerVM hypervisor is vulnerable to a carefully crafted IBMi hypervisor call that can lead to a system crash ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-is… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: The PowerVM hypervisor can allow an attacker that gains service access to the FSP to read and write system memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-ca… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2021
by Daily end-of-shift report 09 Dec '21

09 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-12-2021 18:00 − Donnerstag 09-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious NPM packages are part of a malware “barrage” hitting repositories ∗∗∗ --------------------------------------------- Peoples trust in repositories make them the perfect vectors for malware. --------------------------------------------- https://arstechnica.com/?p=1818997 ∗∗∗ New Cerber ransomware targets Confluence and GitLab servers ∗∗∗ --------------------------------------------- Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-target… ∗∗∗ Grafana fixes zero-day vulnerability after exploits spread over Twitter ∗∗∗ --------------------------------------------- Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-fixes-zero-day-vulne… ∗∗∗ Emotet now drops Cobalt Strike, fast forwards ransomware attacks ∗∗∗ --------------------------------------------- In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-stri… ∗∗∗ The life cycle of phishing pages ∗∗∗ --------------------------------------------- Weve analyzed the life cycle of phishing pages, how they transform during their active period, and the domains where they're located. --------------------------------------------- https://securelist.com/phishing-page-life-cycle/105171/ ∗∗∗ Moobot Botnet Chews Up Hikvision Surveillance Systems ∗∗∗ --------------------------------------------- Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned. --------------------------------------------- https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/ ∗∗∗ PHP Re-Infectors – The Malware that Keeps On Giving ∗∗∗ --------------------------------------------- Attackers have developed some methods for protecting their work as we will explore in this post. We will also look at how you can remove this infection from a compromised website. --------------------------------------------- https://blog.sucuri.net/2021/12/php-re-infectors-the-malware-that-keeps-on-… ∗∗∗ Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs ∗∗∗ --------------------------------------------- At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices. --------------------------------------------- https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html ∗∗∗ Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Microsoft and others’ popular OAuth2.0 implementations lead to redirection attacks that bypass most phishing detection solutions and email security solutions. --------------------------------------------- https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oaut… ∗∗∗ Virtualisiertes USB als Sicherheitslücke ∗∗∗ --------------------------------------------- USB+Cloud=Gefahr. Lücken in USB-über-Ethernet-Treibern für Clouddienste erlauben Angreifern, lokal und serverseitig beliebigen Code im Kernel-Modus auszuführen. --------------------------------------------- https://heise.de/-6289521 ∗∗∗ Is your web browser vulnerable to data theft? XS-Leak explained ∗∗∗ --------------------------------------------- IT security researchers recently exposed new cross-site leak (XS-Leak) attacks against modern-day browsers. But what is XS-Leak anyway? --------------------------------------------- https://blog.malwarebytes.com/explained/2021/12/is-your-web-browser-vulnera… ∗∗∗ Was threat actor KAX17 de-anonymizing the Tor network? ∗∗∗ --------------------------------------------- A threat actor was found to be running a high percentage of the Tor Networks servers. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/12/was-threat-actor-kax17-de-ano… ∗∗∗ Detecting Patient Zero Web Threats in Real Time With Advanced URL Filtering ∗∗∗ --------------------------------------------- Patient zero web threats are malicious URLs that are being seen for the first time. We discuss how to stop them despite attacker cloaking techniques. --------------------------------------------- https://unit42.paloaltonetworks.com/patient-zero-web-threats/ ∗∗∗ CISA Releases Guidance on Protecting Organization-Run Social Media Accounts ∗∗∗ --------------------------------------------- CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisa-releases-gui… ∗∗∗ Two Birds with One Stone: An Introduction to V8 and JIT Exploitation ∗∗∗ --------------------------------------------- In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 – Google’s open-source high-performance JavaScript and WebAssembly engine – through the lens of a bug used during Pwn2Own Vancouver 2021. --------------------------------------------- https://www.thezdi.com/blog/2021/12/6/two-birds-with-one-stone-an-introduct… ∗∗∗ Kernel Karnage – Part 6 (Last Call) ∗∗∗ --------------------------------------------- Having covered process, thread and image callbacks in the previous blogposts, I think it’s only fair if we conclude this topic with registry and object callbacks. --------------------------------------------- https://blog.nviso.eu/2021/12/09/kernel-karnage-part-6-last-call/ ===================== = Vulnerabilities = ===================== ∗∗∗ SanDisk SecureAccess bug allows brute forcing vault passwords ∗∗∗ --------------------------------------------- Western Digital has fixed a security vulnerability that enabled attackers to brute force SanDisk SecureAccess passwords and access the users protected files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sandisk-secureaccess-bug-all… ∗∗∗ IBM Security Bulletins 2021-12-07 and 2021-12-08 ∗∗∗ --------------------------------------------- DB2, WebSphere Application Server, Tivoli Business Service Manager, PowerHA, Guardium Data Encryption, Watson Speech Services, Process Designer, Business Automation Workflow --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Jetzt patchen! Root-Lücke in Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen unter anderem kritische Schwachstellen in Secure-Mobile-Access-Appliances. --------------------------------------------- https://heise.de/-6290012 ∗∗∗ FortiOS- und FortiProxy-Updates schließen Sicherheitslücken, Check empfohlen ∗∗∗ --------------------------------------------- Fortinet ist auf ein unterwandertes System gestoßen und empfiehlt Administratoren die Überprüfung auf Einbruchsspuren. Zudem stehen Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6290546 ∗∗∗ LibreOffice zieht Update wegen kritischer Schwachstelle vor ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der NSS-Bibliothek betrifft auch LibreOffice und ermöglicht das Unterschieben von Schadcode. Updates zur Absicherung stehen bereit. --------------------------------------------- https://heise.de/-6290069 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nss), Fedora (rubygem-rmagick), openSUSE (xen), Red Hat (firefox and nss), SUSE (kernel and xen), and Ubuntu (mailman and nss). --------------------------------------------- https://lwn.net/Articles/878038/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/878142/ ∗∗∗ Bentley BE-2021-0005: Out-of-bounds and use-after-free vulnerabilities in Bentley MicroStation and Bentley View ∗∗∗ --------------------------------------------- https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 ∗∗∗ Helmholz: Remote user enumeration in myREX24/myREX24-virtual ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-058/ ∗∗∗ Helmholz: Privilege Escalation in shDialup ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-057/ ∗∗∗ Hitachi Energy RTU500 OpenLDAP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-341-01 ∗∗∗ Hitachi Energy XMC20 and FOX61x ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-341-02 ∗∗∗ FANUC Robot Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-243-02 ∗∗∗ Hillrom Welch Allyn Cardio Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-343-01 ∗∗∗ Hitachi Energy GMS600, PWC600, and Relion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-343-01 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-343-02 ∗∗∗ Multiple Vulnerabilities in Bosch BT software products ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html ∗∗∗ Stack Buffer Overflow Vulnerability in Surveillance Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-46 ∗∗∗ Reflected XSS Vulnerability in Kazoo Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-54 ∗∗∗ Improper Authentication Vulnerability in Qfile ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-55 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2021
by Daily end-of-shift report 07 Dec '21

07 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 06-12-2021 18:00 − Dienstag 07-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Code-Schmuggel-Sicherheitslücke in Windows nur halbherzig geschlossen ∗∗∗ --------------------------------------------- Eine Lücke in Windows, die bösartige Webseiten zum Ausführen von Schadcode missbrauchen könnte, lässt sich trotz Update noch eingeschränkt missbrauchen. --------------------------------------------- https://heise.de/-6288402 ∗∗∗ Achtung: Jobangebote von „ab-group.info“ & „mctrl-marktforschung.com“ sind Fake ∗∗∗ --------------------------------------------- Homeoffice, flexible Arbeitszeiten, frei wählbare Anstellungsverhältnisse und obendrein gut bezahlt. Das versprechen Marktforschungsagenturen wie „ab-group.info“ & „mctrl-marktforschung.com“. Doch Vorsicht: Dabei handelt es sich um betrügerische Jobangebote. Interessierte übermitteln bei einer Bewerbung persönliche Daten sowie Ausweiskopien an Kriminelle. Im schlimmsten Fall werden im eigenen Namen Bankkonten für Kriminelle eröffnet! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-jobangebote-von-ab-groupinfo… ∗∗∗ STOP Ransomware vaccine released to block encryption ∗∗∗ --------------------------------------------- German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims files after infection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-vaccine-rele… ∗∗∗ Apache Kafka Cloud Clusters Expose Sensitive Data for Large Companies ∗∗∗ --------------------------------------------- The culprit is misconfigured Kafdrop interfaces, used for centralized management of the open-source platform. --------------------------------------------- https://threatpost.com/apache-kafka-cloud-clusters-expose-data/176778/ ∗∗∗ WooCommerce Credit Card Swiper Injected Into Random Plugin Files ∗∗∗ --------------------------------------------- It’s that time of year again! While website owners always need to be on guard, the holidays season is when online scams and credit card theft are most rampant. Administrators of ecommerce websites need to be extra vigilant as this case will demonstrate. --------------------------------------------- https://blog.sucuri.net/2021/12/woocommerce-credit-card-swiper-injected-int… ∗∗∗ Cryptominers arent just a headache – theyre a big neon sign that Bad Things are on your network ∗∗∗ --------------------------------------------- So says Sophos in warning about Tor2Mine Monero malware Cryptominer malware removal is a routine piece of the cybersecurity landscape these days. Yet if criminals are hijacking your compute cycles to mine cryptocurrencies, chances are theres something worse lurking on your network too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/12/07/sophos_tor2m… ∗∗∗ Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm ∗∗∗ --------------------------------------------- Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted. --------------------------------------------- https://blog.fox-it.com/2021/12/07/encryption-does-not-equal-invisibility-d… ∗∗∗ XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit ∗∗∗ --------------------------------------------- In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as "XE Group". Volexity believes that XE Group is likely a Vietnamese-origin criminal threat actor whose intrusions follow an approximate pattern: Compromise of externally facing services via known exploits (e.g., Telerik UI vulnerabilities) Monetization of these compromises through installation of password theft or credit card skimming code for web [...] --------------------------------------------- https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hackin… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer attackieren PC-Management-Software Zoho ManageEngine Desktop Central ∗∗∗ --------------------------------------------- Nur die neusten Versionen schützen die Software. Zoho rät zu zügigen Updates. --------------------------------------------- https://heise.de/-6287937 ∗∗∗ 27 flaws in USB-over-network SDK affect millions of cloud users ∗∗∗ --------------------------------------------- Researchers have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/27-flaws-in-usb-over-network… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nss), Debian (roundcube and runc), openSUSE (aaa_base, brotli, clamav, glib-networking, gmp, go1.16, hiredis, kernel, mozilla-nss, nodejs12, nodejs14, openexr, openssh, php7, python-Babel, ruby2.5, speex, wireshark, and xen), Oracle (kernel and nss), Red Hat (kpatch-patch, nss, rpm, and thunderbird), SUSE (brotli, clamav, glib-networking, gmp, kernel, mariadb, mozilla-nss, nodejs12, nodejs14, openssh, php7, python-Babel, and wireshark), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/877945/ ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1252 ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1251 ∗∗∗ Security Bulletin: Multiple vulnerabilities in Redis affecting the IBM Event Streams UI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Event Streams through Apache Kafka key/password validation (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-even… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-20254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affecting IBM Event Streams (CVE-2021-22960 and CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-12-2021 18:00 − Montag 06-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Is My Site Hacked? 4 Gut Checks ∗∗∗ --------------------------------------------- Today, we’re looking at 4 quick gut check tests you can do to get the answer to the question, “is my site hacked?” --------------------------------------------- https://blog.sucuri.net/2021/12/is-my-site-hacked-4-gut-checks.html ∗∗∗ Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks ∗∗∗ --------------------------------------------- Enterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months. The issue, assigned the identifier CVE-2021-44515, is an authentication bypass vulnerability ... --------------------------------------------- https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html ∗∗∗ Malicious KMSPico Windows Activator Stealing Users Cryptocurrency Wallets ∗∗∗ --------------------------------------------- Users looking to activate Windows without using a digital license or a product key are being targeted by tainted installers to deploy malware designed to plunder credentials and other information in cryptocurrency wallets. The malware, dubbed "CryptBot," is an information stealer capable of obtaining credentials for browsers, cryptocurrency wallets, browser cookies, credit cards, and capturing screenshots from the infected systems. --------------------------------------------- https://thehackernews.com/2021/12/malicious-kmspico-windows-activator.html ∗∗∗ The Importance of Out-of-Band Networks ∗∗∗ --------------------------------------------- Out-of-band (or "OoB") networks are usually dedicated to management tasks. Many security appliances and servers have dedicated management interfaces that are used to set up, control, and monitor the device. A best practice is to connect those management interfaces to a dedicated network that is not directly connected to the network used to carry applications/users data. --------------------------------------------- https://isc.sans.edu/diary/rss/28102 ∗∗∗ Who Is the Network Access Broker ‘Babam’? ∗∗∗ --------------------------------------------- Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in stealing remote access credentials -- such as usernames and passwords needed to remotely connect to the targets network. In this post well look at the clues left behind by "Babam," the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions ... --------------------------------------------- https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam/ ∗∗∗ Emotet’s back and it isn’t wasting any time ∗∗∗ --------------------------------------------- Last month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from the dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity. --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wast… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Small Business 220 Series Smart Switches Link Layer Discovery Protocol Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: - Execute code on the affected device or cause it to reload unexpectedly - Cause LLDP database corruption on the affected device --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2021-12-03 ∗∗∗ --------------------------------------------- IBM Event Streams, IBM Cloud Automation Manager, IBM Data Studio Client, EDB PostreSQL with IBM, EDB Postgres Advanced Server with IBM, IBM Data Management Platform (Enterprise, Standard), IBM QRadar SIEM --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (isync, lib32-nss, nss, opera, and vivaldi), Debian (gerbv and xen), Fedora (autotrace, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, libsndfile, nss, pfstools, php-pecl-imagick, psiconv, q, R-magick, rss-glx, rubygem-rmagick, seamonkey, skopeo, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, vim, vips, and WindowMaker), Mageia (golang, kernel, kernel-linus, mariadb, and vim), openSUSE (aaa_base, python-Pygments, singularity, and tor), Red Hat (nss), Slackware (mozilla), SUSE (aaa_base, kernel, openssh, php74, and xen), and Ubuntu (libmodbus, lrzip, samba, and uriparser). --------------------------------------------- https://lwn.net/Articles/877821/ ∗∗∗ ABB Cyber Security Advisory: OmniCore RobotWare Missing Authentication Vulnerability CVE ID: CVE-2021-22279 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCod… ∗∗∗ F5 K50839343: NGINX ModSecurity WAF vulnerability CVE-2021-42717 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50839343 ∗∗∗ F5 K12705583: OpenSSH vulnerability CVE-2021-41617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12705583 ∗∗∗ Auerswald COMpact Multiple Backdoors ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/ ∗∗∗ Auerswald COMpact Arbitrary File Disclosure ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-006/ ∗∗∗ Auerswald COMpact Privilege Escalation ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-005/ ∗∗∗ Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

-- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2021
by Daily end-of-shift report 03 Dec '21

03 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-12-2021 18:00 − Freitag 03-12-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Key Characteristics of Malicious Domains: Report ∗∗∗ --------------------------------------------- Newer top-level domains and certain hosting providers are frequent sources of malicious content, while newly registered domains and free SSL certificates are not any more likely than average to be risky, new research shows. --------------------------------------------- https://www.darkreading.com/threat-intelligence/research-outs-the-providers… ∗∗∗ Vorsicht: „Neue Weihnachts-Emoji für Whatsapp“ ist eine Falle ∗∗∗ --------------------------------------------- Über eine WhatsApp-Nachricht, die Weihnachts-Emoji verspricht, werden Abo-Fallen und Schadsoftware verbreitet. --------------------------------------------- https://futurezone.at/apps/vorsicht-neue-weihnachts-emoji-fuer-whatsapp-fal… ∗∗∗ The UPX Packer Will Never Die!, (Fri, Dec 3rd) ∗∗∗ --------------------------------------------- Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. --------------------------------------------- https://isc.sans.edu/diary/rss/28096 ∗∗∗ Exploring Container Security: A Storage Vulnerability Deep Dive ∗∗∗ --------------------------------------------- Recently, the GKE Security team discovered a high severity vulnerability in Kubernetes (CVE-2021-25741) that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community. --------------------------------------------- https://security.googleblog.com/2021/12/exploring-container-security-storag… ∗∗∗ Analysis: AWS SageMaker Jupyter Notebook Instance Takeover ∗∗∗ --------------------------------------------- During our research about security in data science tools we decided to look at Amazon SageMaker which is a fully managed machine learning service in AWS. Here is the long and short of our recent discovery. [...] Using the access token, the attacker can read data from S3 buckets, create VPC endpoints and more actions that are allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy. We reported the vulnerability we discovered to the AWS security team [...] --------------------------------------------- https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability ∗∗∗ Beispiele für Viren-Mails nach Übernahme eines Exchange-Servers ∗∗∗ --------------------------------------------- Und schon sind wir beim dritten Türchen im Security-Adventskalender meines Blogs. Ich hatte ja hier im Blog mehrfach gewarnt, dass ungepatchte Exchange-Server übernommen und zum Spam-Versand missbraucht werden. Ein Blog-Leser hat mir nun eine kurze Info zukommen lassen (danke), weil er einen kompromittierten Exchange-Server gefunden hat, der kompromittiert war und infizierte Spam-Mails verschickte. --------------------------------------------- https://www.borncity.com/blog/2021/12/03/beispiele-fr-viren-mails-nach-bern… ∗∗∗ Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension ∗∗∗ --------------------------------------------- Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. --------------------------------------------- https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertisin… ∗∗∗ Mehrwertdienste versuchen Sie in die Abo-Falle zu locken! ∗∗∗ --------------------------------------------- Einmal die falsche App am Handy installiert, einen falschen Link geöffnet oder auf einen vermeintlich harmlosen Button geklickt: Am Smartphone kann es sehr schnell passieren, dass Sie in einer Abo-Falle landen und Ihre Telefonrechnung plötzlich deutlich höher ausfällt als gewohnt. Doch keine Sorge: Auch wenn bereits Geld abgebucht wurde, können Sie die Rechnung bei Ihrem Mobilfunkanbieter beanstanden. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertdienste-versuchen-sie-in-die… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers discover 14 new data-stealing web browser attacks ∗∗∗ --------------------------------------------- IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of XS-Leak cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-discover-14-new-… ∗∗∗ CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus ∗∗∗ --------------------------------------------- This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-rele… ∗∗∗ IBM Security Bulletins 2021-12-02 ∗∗∗ --------------------------------------------- IBM Integration Bus, Power System, IBM Cloud Pak System, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Cognos Analytics --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050) ∗∗∗ --------------------------------------------- The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. --------------------------------------------- https://research.nccgroup.com/2021/12/02/technical-advisory-authenticated-s… ∗∗∗ Free Micropatches for the "InstallerFileTakeOver" 0day ∗∗∗ --------------------------------------------- Wow, this is the third 0day found by the same researcher we're patching in the last two weeks. Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation [...] --------------------------------------------- https://blog.0patch.com/2021/12/free-micropatches-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14). --------------------------------------------- https://lwn.net/Articles/877582/ ∗∗∗ Schneider Electric SESU ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficient Entropy vulnerability in the Schneider Electric Software Update. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-01 ∗∗∗ Johnson Controls Entrapass ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Johnson Controls Entrapass security management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-02 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass by Primary Weakness, and Unrestricted Upload of File with Dangerous Type vulnerabilities in Distributed Data Systems WebHMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03 ∗∗∗ Hitachi Energy RTU500 series BCI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Hitachi Energy RTU500 series BCI remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-04 ∗∗∗ Hitachi Energy Relion 670/650/SAM600-IO ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insecure Default Initialization of Resource vulnerability in Hitachi Energy Relion 670/650/SAM600-IO Intelligent Electronic Devices (IEDs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-05 ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in Hitachi Energy Transformer Asset Performance Management (APM) Edge software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-06 ∗∗∗ Hitachi Energy PCM600 Update Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Improper Certificate Validation vulnerability in Hitachi Energy PCM600 Update Manager protection and control IED software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-07 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- This advisory contains mitigations for Observable Discrepancy, Buffer Over-read, and Out-of-bounds Read vulnerabilities in Hitachi Energy RTU500 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2021
by Daily end-of-shift report 02 Dec '21

02 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-12-2021 18:00 − Donnerstag 02-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New malware hides as legit nginx process on e-commerce servers ∗∗∗ --------------------------------------------- eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions. [...] Because NginRAT hides as a normal Nginx process and the code exists only in the server’s memory, detecting it may be a challenge. However, the malware is launched using two variables, LD_PRELOAD and LD_L1BRARY_PATH. Administrators can use the latter, which contains the “typo,” to reveal the active malicious processes --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-n… ∗∗∗ Nine WiFi routers used by millions were vulnerable to 226 flaws ∗∗∗ --------------------------------------------- Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-mi… ∗∗∗ WordPress Admin Creator – A Simple, But Effective Attack ∗∗∗ --------------------------------------------- Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Injecting a malicious admin user into a WordPress site can allow attackers easy access back into a victims’ website after it has been cleaned. --------------------------------------------- https://blog.sucuri.net/2021/12/wordpress-admin-creator-a-simple-but-effect… ∗∗∗ pip-audit ∗∗∗ --------------------------------------------- pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports. --------------------------------------------- https://pypi.org/project/pip-audit/ ∗∗∗ Digitale Vignette nur in offiziellen Shops kaufen! ∗∗∗ --------------------------------------------- Bereits ab 1. Dezember ist die Vignette für das Jahr 2022 auf österreichischen Autobahnen gültig. Die digitale Vignette kann dabei nicht nur an verschiedenen offiziellen Verkaufsstellen, sondern auch online gekauft werde. Das machen sich unseriöse AnbieterInnen zu Nutze und bieten die digitale Vignette ungerechtfertigt zu höheren Preisen an. --------------------------------------------- https://www.watchlist-internet.at/news/digitale-vignette-nur-in-offiziellen… ∗∗∗ Azure Privilege Escalation via Azure API Permissions Abuse ∗∗∗ --------------------------------------------- In this post, I will explain how one of those permissions systems can be abused to escalate to Global Admin. I’ll explain how you as an attacker can abuse this system, and I will also explain how you as a defender can find, clean up, and prevent these abusable configurations. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permis… ∗∗∗ Windows 10/11: Falle beim "trusted" Apps-Installer; Emotet nutzt das ∗∗∗ --------------------------------------------- Hoh hoh, Leute, wir können heute das zweite Türchen im Adventskalender öffnen und schauen, was Microsoft so schönes dahinter versteckt hat, um Administratoren zu erschrecken. Heute finden wir den AppX-Installer, der in Windows 10 und Windows 11 zum Installieren von Anwendungen und Apps verwendet wird. Hier ein kleiner Überblick, warum man das Wörtchen Trusted Apps nicht so ganz wörtlich nehmen soll. Denn der zugehörige Installer kann durchaus Malware auf das System spülen (Emotet nutzt das aktuell bei Angriffen), die Apps aber wegen eines gravierenden Design-Fehlers als Trusted ausweisen. --------------------------------------------- https://www.borncity.com/blog/2021/12/02/windows-10-11-falle-beim-trusted-a… ===================== = Vulnerabilities = ===================== ∗∗∗ BigSig-Lücke: Mozilla schließt kritische Schwachstelle in Krypto-Bibliothek NSS ∗∗∗ --------------------------------------------- Setzen Anwendungen zur sicheren Kommunikation Mozillas Network Security Services ein, könnte eine kritische Lücke für Probleme sorgen. [...] Die Programmbibliothek kommt beispielsweise im E-Mail-Client Thunderbird, LibreOffice und verschiedenen PDF-Betrachtern zum Einsatz. Einer Warnmeldung von Mozilla zufolge ist der hauseigene Webbrowser Firefox nicht von der als „kritisch“ eingestuften Sicherheitslücke (CVE-2021-43527) betroffen. --------------------------------------------- https://heise.de/-6281977 ∗∗∗ Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields" ∗∗∗ --------------------------------------------- Users of this product may do the following: - Browse unauthorized data on the database - CVE-2021-20865 - Obtain a list of information that an user do not have the privilege for - CVE-2021-20866 - Move field groups that an user do not have permission to use - CVE-2021-20867 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN09136401/ ∗∗∗ ZDI-21-1373: Jenkins Report Info XML External Entity Processing Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Jenkins Report Info. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1373/ ∗∗∗ Multiple vulnerabilities in OrbiTeam BSCW Server ∗∗∗ --------------------------------------------- The BSCW Server of OrbiTeam Software GmbH & Co. KG is prone to multiple vulnerabilities like reflected and stored XSS, LFI and Open Redirect. It is possible to chain these vulnerabilities and compromise the server even without a valid login. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, openssh, and rpm), Debian (nss), Fedora (seamonkey), Mageia (glibc), openSUSE (go1.16, go1.17, kernel, mariadb, netcdf, openexr, poppler, python-Pygments, python-sqlparse, ruby2.5, speex, and webkit2gtk3), Oracle (nss), Red Hat (nss), SUSE (clamav, glibc, gmp, go1.16, go1.17, kernel, mariadb, netcdf, OpenEXR, openexr, openssh, poppler, python-Pygments, python-sqlparse, ruby2.1, ruby2.5, speex, webkit2gtk3, and xen), and Ubuntu (nss and thunderbird). --------------------------------------------- https://lwn.net/Articles/877410/ ∗∗∗ Delta Electronics CNCSoft - ICS Advisory (ICSA-21-334-03) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-03 ∗∗∗ Security Bulletin: OpenSSH for IBM i is affected by CVE-2021-41617 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssh-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Tivoli Business Service Manager (CVE-2013-0248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-fileupload… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Netty.io ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Wink as used by IBM Disconnected Log Collector is vulnerable to an XML External Entity Error (XXE) (CVE-2010-2245) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-wink-as-used-by-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2021
by Daily end-of-shift report 01 Dec '21

01 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-11-2021 18:00 − Mittwoch 01-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy BlackByte ransomware ∗∗∗ --------------------------------------------- BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st) ∗∗∗ --------------------------------------------- We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. --------------------------------------------- https://isc.sans.edu/diary/rss/28088 ∗∗∗ Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors ∗∗∗ --------------------------------------------- RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel… ∗∗∗ l+f: Emotet-Fehlalarm vom Microsoft Defender ∗∗∗ --------------------------------------------- Microsofts Virenschutz hat Nutzer und Administratoren unnötig aufgeschreckt: Ein fehlerhaftes Erkennungs-Update sah Emotet-Infektionen, wo keine waren. --------------------------------------------- https://heise.de/-6280766 ∗∗∗ Tracking a P2P network related with TA505 ∗∗∗ --------------------------------------------- For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. --------------------------------------------- https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-wit… ∗∗∗ Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-chrome-.html ∗∗∗ E-Mail: „Ihr Paket ist in der Warteschleife“ ist Fake ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor E-Mails mit dem Betreff „Ihr Paket ist in der Warteschleife“ in Acht. Kriminelle geben sich als DHL aus und behaupten, dass Zollgebühren ausständig sind. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ihr-paket-ist-in-der-wartesch… ∗∗∗ Play Your Cards Right: Detecting Wildcard DNS Abuse ∗∗∗ --------------------------------------------- Wildcard DNS records can be used constructively, but their flexibility also provides attackers with a variety of options for executing attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/wildcard-dns-abuse/ ∗∗∗ Shodan Verified Vulns 2021-12-01 ∗∗∗ --------------------------------------------- Insgesamt gibt es kaum Veränderungen zum Vormonat, wobei die Anzahl der verwundbaren Microsoft Exchange Server relativ deutlich zurückging – Props an die Administrator:innen! --------------------------------------------- https://cert.at/de/aktuelles/2021/12/shodan-verified-vulns-2021-12-01 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-kn… ∗∗∗ FBI document shows what data can be obtained from encrypted messaging apps ∗∗∗ --------------------------------------------- A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr. --------------------------------------------- https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-e… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2021-11-30 ∗∗∗ --------------------------------------------- IBM QRadar SIEM, IBM Integration Bus, IBM App Connect Enterprise, IBM HTTP Server, IBM Cloud Pak for Data, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Match 360, IBM SDK (Java™ Technology Edition), IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, [...]) --------------------------------------------- https://lwn.net/Articles/877284/ ∗∗∗ Verwaltungssoftware Jamf Pro für Apple-Geräte könnte Zugangsdaten leaken ∗∗∗ --------------------------------------------- https://heise.de/-6281352 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211201-… ∗∗∗ XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/12/xss-vulnerability-patched-in-plugin-… ∗∗∗ Mozilla Foundation Security Advisory 2021-51: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ Johnson Controls CEM Systems AC2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-04 ∗∗∗ Hitachi Energy Retail Operations and CSB Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2021
by Daily end-of-shift report 30 Nov '21

30 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 29-11-2021 18:00 − Dienstag 30-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Printing Shellz: Sicherheitslücken in HP-Druckern/-Multifunktionsgeräten ∗∗∗ --------------------------------------------- Passend zum 30. November, dem Computer Security Day habe ich noch was. Es gibt eine Sicherheitslücke in der Firmware bestimmter HP LaserJet, HP LaserJet Managed, HP PageWide und HP PageWide Managed Produkte. Diese sind möglicherweise für einen Pufferüberlauf anfällig. Das bedeutet, Angreifer könnten Druckaufträge oder Scans abfangen und ggf. die Firmennetzwerke lahmlegen. --------------------------------------------- https://www.borncity.com/blog/2021/11/30/printing-shellz-sicherheitslcken-i… ∗∗∗ Gefälschtes BAWAG SMS im Umlauf ∗∗∗ --------------------------------------------- Momentan kursieren gefälschte SMS-Nachrichten im Namen der BAWAG. Im SMS mit „BawagPSK“ als Absender werden EmpfängerInnen darüber informiert, dass ihr Konto angeblich gesperrt wurde und eine Sicherheitsapp installiert werden muss. Klicken Sie keinesfalls auf den Link. Dieser führt auf eine gefälschte BAWAG-Website! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-bawag-sms-im-umlauf/ ∗∗∗ Malicious USB drives: Still a security problem ∗∗∗ --------------------------------------------- A malicious USB drive dropped in a parking lot - this image has become a bit of a trope in IT security circles. Still, the threat is very real and more relevant than ever. --------------------------------------------- https://www.gdatasoftware.com/blog/2021/11/usb-drives-still-a-danger ∗∗∗ What We’ve Learned About SSH Brute Force Attacks ∗∗∗ --------------------------------------------- The first time I encountered brute force attacks I was a hosting specialist who received calls from frustrated site owners that wanted to know who’d gained access to their server. Many of them didn’t understand the importance of a password’s character strength, or how frequent attacks on “root” are as a username, including myself at one point in time. I’ve learned more about SSH Brute Force attacks throughout my years at Sucuri. --------------------------------------------- https://blog.sucuri.net/2021/11/what-weve-learned-about-ssh-brute-force-att… ∗∗∗ 300.000+ infections via Droppers on Google Play Store ∗∗∗ --------------------------------------------- In this blog we will discuss the recent techniques used to spread Android banking trojans via Google Play (MITRE T1475) resulting in significant financial loss for targeted banks. We will also discuss the, sometimes forgotten, by-product of collecting contacts and keystrokes by Banking trojans, resulting in severe data leakage. --------------------------------------------- https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html ∗∗∗ Sabbath Ransomware Operators Target Critical Infrastructure ∗∗∗ --------------------------------------------- Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources. --------------------------------------------- https://www.securityweek.com/sabbath-ransomware-operators-target-critical-i… ∗∗∗ Yanluowang: Further Insights on New Ransomware Threat ∗∗∗ --------------------------------------------- At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ya… ∗∗∗ Kernel Karnage – Part 5 (I/O & Callbacks) ∗∗∗ --------------------------------------------- After showing interceptor’s options, it’s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. --------------------------------------------- https://blog.nviso.eu/2021/11/30/kernel-karnage-part-5-i-o-callbacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Fedora (kernel), openSUSE (netcdf and tor), SUSE (netcdf and python-Pygments), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/877186/ ∗∗∗ ZDI-21-1371: (0Day) Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1371/ ∗∗∗ ZDI-21-1370: (0Day) Esri ArcReader PMF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1370/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1244 ∗∗∗ Cross-Site Request Forgery im Team Password Manager (SYSS-2021-059) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-request-forgery-im-team-passwor… ∗∗∗ Host Header Poisoning im Team Password Manager (SYSS-2021-060) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/host-header-poisoning-im-team-password-man… ∗∗∗ Advisory: Vulnerabilities in B&R Automation Studio and PVI Windows Services ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16367454… ∗∗∗ Advisory: Number:Jack in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16367454… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2021-38999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Operations Analytics – Log Analysis (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU Binutils affects IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a code injection vulnerability (CVE-2021-38967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affects IBM License Key Server Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a disclosure of sensitive information vulnerability (CVE-2021-39000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2021
by Daily end-of-shift report 29 Nov '21

29 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-11-2021 18:00 − Montag 29-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ TrickBot phishing checks screen resolution to evade researchers ∗∗∗ --------------------------------------------- The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-scr… ∗∗∗ IT-Security: ETSI veröffentlicht erste Norm für sichere Smartphones ∗∗∗ --------------------------------------------- Ein neuer Standard des europäischen Normungsinstituts ETSI soll Herstellern weltweit helfen, die IT-Sicherheit bei Mobiltelefonen für Verbraucher zu erhöhen. --------------------------------------------- https://heise.de/-6278376 ∗∗∗ Google-Analyse: Cloud-Dienste durch schwache Passwörter angreifbar ∗∗∗ --------------------------------------------- Das Unternehmen hat Einbrüche in Cloud-Instanzen untersucht, nennt Ursachen und liefert daraus resultierende Handlungsempfehlungen. --------------------------------------------- https://heise.de/-6277514 ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- In June 2021, security researcher Abdelhamid Naceri published a blog post about an "unpatched information disclosure" vulnerability in Windows. The post details the mechanics of the issue and its exploitation, allowing a non-admin Windows user to read arbitrary files even if they do not have permissions to do so. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Ghidra 101: Binary Patching ∗∗∗ --------------------------------------------- There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/ghidra-… ∗∗∗ AVM warnt vor Phishing-Mails mit FRITZ!Box-Anrufbeantworternachricht ∗∗∗ --------------------------------------------- Der Hersteller der FRITZ!Boxen, die Berliner-Firma AVM warnt aktuell von einer Welle von Phishing-Mails, die im Anhang angeblich eine Sprachnachricht des FRITZ!Box-Anrufbeantworters enthalten. Wer diesen Anhang per Doppelklick unter Windows abhören möchte, installiert sich Schadsoftware. --------------------------------------------- https://www.borncity.com/blog/2021/11/28/avm-warnt-vor-phishing-mails-mit-f… ∗∗∗ Cobalt Strike: Decrypting DNS Traffic – Part 5 ∗∗∗ --------------------------------------------- Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. --------------------------------------------- https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-… ===================== = Vulnerabilities = ===================== ∗∗∗ Backdoor.Win32.Coredoor.10.a / Authentication Bypass RCE ∗∗∗ --------------------------------------------- Description: The malware listens on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution. --------------------------------------------- https://cxsecurity.com/issue/WLB-2021110120 ∗∗∗ FortiClientWindows & FortiClient EMS - Privilege escalation via DLL Hijacking ∗∗∗ --------------------------------------------- An unsafe search path vulnerability in FortiClient and FortiClient EMS may allow an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path. --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-088 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/877105/ ∗∗∗ Insulet OmniPod Insulin Management System vulnerability ∗∗∗ --------------------------------------------- https://omnipod.lyrebirds.dk/ ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2021
by Daily end-of-shift report 26 Nov '21

26 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-11-2021 18:00 − Freitag 26-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2021 ∗∗∗ --------------------------------------------- WildPressure and LuminousMoth threat actors, FinSpy implants, zero-day vulnerabilities and PrintNightmare, threats for Linux and macOS in our review of Q3 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2021/104876/ ∗∗∗ YARAs Private Strings, (Thu, Nov 25th) ∗∗∗ --------------------------------------------- YARA supports private strings. A string can be marked as private by including string modifier "private". Here is a use case. [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28010 ∗∗∗ Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090, (Fri, Nov 26th) ∗∗∗ --------------------------------------------- Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet. --------------------------------------------- https://isc.sans.edu/diary/rss/28072 ∗∗∗ EU needs more cybersecurity graduates, says ENISA infosec agency – pointing at growing list of masters degree courses ∗∗∗ --------------------------------------------- The EU needs more cybersecurity graduates to plug the political blocs shortage of skilled infosec bods, according to a report from the ENISA online security agency. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/11/26/enisa_cybers… ∗∗∗ RATDispenser: JavaScript-Loader installiert Remote Access Trojaners (RAT) in Windows ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag in Punkto Sicherheit, welcher mir die Tage unter die Augen gekommen ist. Die Sicherheitsforscher von HP Thread-Research sind auf einen in JavaScript geschriebenen Loader gestoßen, der auf Windows-Systemen Remote Access Trojaner (RAT) installiert. Der Entwickler scheint [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/26/ratdispenser-javascript-loader-ins… ===================== = Vulnerabilities = ===================== ∗∗∗ Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices ∗∗∗ --------------------------------------------- Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L. Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises. --------------------------------------------- https://securityaffairs.co/wordpress/125016/hacking/0-day-tp-link-wi-fi-6.h… ∗∗∗ Angreifer könnten die Kontrolle über Videoüberwachungssysteme von Qnap erlangen ∗∗∗ --------------------------------------------- Ein wichtiges Update schließt unter anderem eine kritische Lücke in einigen Netzwerk-Videorekordern von Qnap. --------------------------------------------- https://heise.de/-6277445 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (freerdp, gnome-boxes, gnome-connections, gnome-remote-desktop, guacamole-server, hydra, java-1.8.0-openjdk-aarch32, medusa, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, php, pidgin-sipe, remmina, vinagre, and weston), openSUSE (kernel and netcdf), and SUSE (kernel and netcdf). --------------------------------------------- https://lwn.net/Articles/876922/ ∗∗∗ Zoom Video Communications Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1235 ∗∗∗ Security Bulletin: Vulnerability in jsoup may affect Cúram Social Program Management (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jsoup-ma… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Dojo may affect IBM Cúram Social Program Management (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may… ∗∗∗ Security Bulletin: Vulnerability in Apache Santuario XML Security for Java may affect Cúram Social Program Management (CVE-2021-40690) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2021
by Daily end-of-shift report 25 Nov '21

25 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-11-2021 18:00 − Donnerstag 25-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CronRAT malware infects Linux systems using odd day cron jobs ∗∗∗ --------------------------------------------- Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cronrat-malware-infects-… ∗∗∗ Discord malware campaign targets crypto and NFT communities ∗∗∗ --------------------------------------------- A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-malware-campaign-tar… ∗∗∗ Improving security for mobile devices: CISA issues guides ∗∗∗ --------------------------------------------- CISA has released actionable guides with advice on how to improve security for mobile devices, both for consumers and organizations. --------------------------------------------- https://blog.malwarebytes.com/android/2021/11/improving-security-for-mobile… ∗∗∗ Bitcoin-Erpressung mit Masturbationsaufnahmen ∗∗∗ --------------------------------------------- Alle Jahre wieder versuchen Kriminelle durch erfundene Behauptungen, Geld zu erpressen. Angeblich wurden Ihre Systeme gehackt und Sie dadurch während dem Aufruf pornografischer Inhalte gefilmt. Die Nachricht ist frei erfunden und wird massenhaft ausgesendet. --------------------------------------------- https://www.watchlist-internet.at/news/bitcoin-erpressung-mit-masturbations… ∗∗∗ Sophisticated Tardigrade malware launches attacks on vaccine manufacturing infrastructure ∗∗∗ --------------------------------------------- Security researchers are warning biomanufacturing facilities around the world that they are being targeted by a sophisticated new strain of malware, known as Tardigrade. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/sophist… ∗∗∗ Black-Friday-Spam-Kampagnen in den Startlöchern ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday – da gibt es fast alles umsonst. Das ruft auch Cyber-Kriminelle auf den Plan und diese greifen Verbraucher verstärkt mit Online-Shopping-Betrugsversuchen an. --------------------------------------------- https://www.borncity.com/blog/2021/11/25/black-friday-spam-kampagnen-in-den… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware dichtet Schwachstellen in vSphere Web Client ab - zum Teil ∗∗∗ --------------------------------------------- Der Hersteller meldet Sicherheitslücken, teils mit hohem Risiko. Es gibt jedoch noch nicht für alle betroffenen Produkte Updates. --------------------------------------------- https://heise.de/-6276216 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (busybox, getdata, and php), Mageia (couchdb, freerdp, openexr, postgresql, python-reportlab, and rsh), openSUSE (bind, java-1_8_0-openjdk, and kernel), SUSE (java-1_7_0-openjdk), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/876852/ ∗∗∗ ModSecurity DoS Vulnerability in JSON Parsing (CVE-2021-42717) ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Ant affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2021
by Daily end-of-shift report 24 Nov '21

24 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-11-2021 18:00 − Mittwoch 24-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Phishing page hiding itself using dynamically adjusted IP-based allow list, (Wed, Nov 24th) ∗∗∗ --------------------------------------------- It can be instructive to closely examine even completely usual-looking phishing messages from time to time, since they may lead one to unusual phishing sites or may perhaps use some novel technique that might not be obvious at first glance. --------------------------------------------- https://isc.sans.edu/diary/rss/28070 ∗∗∗ Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery, and Webshells ∗∗∗ --------------------------------------------- This blog series explores methods attackers might use to maintain persistent access to a compromised linux system. --------------------------------------------- https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persi… ∗∗∗ Nach Windows-Update: Zero-Day-Lücke erlaubt lokale Rechteausweitung ∗∗∗ --------------------------------------------- Eines der Windows-Updates im November sollte eine gefährliche Lücke schließen. Doch sie lässt sich noch immer zur Erhöhung der eigenen Rechte missbrauchen. --------------------------------------------- https://heise.de/-6274893 ∗∗∗ Vorsicht vor Love Scams auf Facebook Dating! ∗∗∗ --------------------------------------------- Immer wieder melden uns besorgte LeserInnen sogenannte Love- oder Romance-Scammer. Dabei handelt es sich um Online-Bekanntschaften, die sich durch Liebesbeteuerungen das Vertrauen der Opfer erschleichen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-facebook… ∗∗∗ New JavaScript malware works as a “RAT dispenser” ∗∗∗ --------------------------------------------- Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy much dangerous remote access trojans (RATs). --------------------------------------------- https://therecord.media/new-javascript-malware-works-as-a-rat-dispenser/ ∗∗∗ ASEC Weekly Malware Statistics (November 15th, 2021 – November 21st, 2021) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from November 15th, 2021 (Monday) to November 21st, 2021 (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/28954/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (libxls, roundcubemail, and vim), openSUSE (bind, java-1_8_0-openjdk, and redis), Red Hat (kernel, kernel-rt, kpatch-patch, krb5, mailman:2.1, openssh, and rpm), Scientific Linux (kernel, krb5, openssh, and rpm), SUSE (bind, java-1_8_0-openjdk, redis, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/876799/ ∗∗∗ Schwachstelle in MediaTek-Chips von Android-Smartphones ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben in einer Android-APU, die APU ist die AI Processing Unit in MediaTek-Chips, eine Schwachstelle entdeckt. Die Sicherheitsforscher warnen, dass Nutzer über den Audio-Prozessor abgehört werden können. Die Mediatek-Chips sind in 37 % aller Android-Geräte verbaut. --------------------------------------------- https://www.borncity.com/blog/2021/11/24/schwachstelle-in-mediatek-chips-vo… ∗∗∗ ZDI-21-1333: Adobe Creative Cloud Incorrect Permission Assignment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1333/ ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211124-… ∗∗∗ Security Bulletin: Weak Cryptographic Control Vulnerability Affects IBM Sterling Connect:Direct Web Services (CVE-2021-38891) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-weak-cryptographic-contro… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Account Lockout Vulnerability Affects IBM Sterling Connect:Direct Web Services (CVE-2021-38890) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-account-lockout-vulnerabi… ∗∗∗ Security Bulletin: PostgreSQL Sensitive Information Exposure Vulnerability Affects IBM Connect:Direct Web Services (CVE-2021-32029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-sensitive-info… ∗∗∗ K20072454: Linux kernel vulnerability CVE-2021-43267 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20072454 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2021
by Daily end-of-shift report 23 Nov '21

23 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-11-2021 18:00 − Dienstag 23-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung: ProxyShell, Squirrelwaffle und ein PoC-Eploit, patcht endlich eure Exchange-Server ∗∗∗ --------------------------------------------- Wie oft denn noch? Aktuell warne ich fast im Tagesrhythmus vor dem Betrieb ungepatchter Exchange-Schwachstellen und ProxyShell-Angriffen. Vor einigen Tagen hat Trend Micro eine Warnung vor Angriffen auf die ProxyShell-Schwachstellen über den Squirrelwaffle-Exploit und der Übernahme der Exchange-E-Mail-Postfächer gewarnt. Seit wenigen Stunden ist ein weitere Exploit als Proof of Concept öffentlich, die Ausnutzung gegen ungepatchte Exchange-Server ist wahrscheinlich. Patcht also endlich die Systeme. --------------------------------------------- https://www.borncity.com/blog/2021/11/23/warnung-proxyshell-squirrelwaffle-… ∗∗∗ GoDaddy-Datenpanne betrifft 1,2 Millionen WordPress-Kunden ∗∗∗ --------------------------------------------- Hacker verschafft sich Zugang zu den persönlichen Daten von mehr als 1,2 Millionen Kunden des WordPress-Hostingdienstes von GoDaddy. --------------------------------------------- https://heise.de/-6274187 ∗∗∗ FBI warnt vor Einbrüchen via VPN-Software ∗∗∗ --------------------------------------------- Bei Untersuchungen stießen Strafverfolger vom FBI auf Sicherheitslücken in VPN-Software, durch die Cyberkriminelle derzeit in Netzwerke eindringen. --------------------------------------------- https://heise.de/-6274101 ∗∗∗ ZDF-Reportage: Wie Betrüger online abzocken ∗∗∗ --------------------------------------------- Wer sind die Cyber-Kriminellen hinter den unzähligen Fake-Shops und wie können sie entlarvt werden? "WISO crime" - ein ZDF-Format berichtet über Fake-Shops im Internet und versucht, einem Fake-Shop-Betreiber auf die Schliche zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/zdf-reportage-wie-betrueger-online-a… ∗∗∗ Over nine million Android devices infected by info-stealing trojan ∗∗∗ --------------------------------------------- A large-scale malware campaign on Huaweis AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-nine-million-android-de… ∗∗∗ How to investigate service provider trust chains in the cloud ∗∗∗ --------------------------------------------- This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/22/how-to-investigate-servi… ∗∗∗ Simple YARA Rules for Office Maldocs, (Mon, Nov 22nd) ∗∗∗ --------------------------------------------- In diary entry "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" I shared 2 simple YARA rules to triage Office documents with VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/28062 ∗∗∗ Observing Attacks Against Hundreds of Exposed Services in Public Clouds ∗∗∗ --------------------------------------------- Insecurely exposed services are common misconfigurations in cloud environments. We used a honeypot infrastructure to learn about attacks against them. --------------------------------------------- https://unit42.paloaltonetworks.com/exposed-services-public-clouds/ ∗∗∗ What to do if you receive a data breach notice ∗∗∗ --------------------------------------------- Receiving a breach notification doesn't mean you’re doomed - here's what you should consider doing in the hours and days after learning that your personal data has been exposed --------------------------------------------- https://www.welivesecurity.com/2021/11/22/what-do-if-you-receive-data-breac… ∗∗∗ GÉANT launches new security services website ∗∗∗ --------------------------------------------- As technology becomes more complex and threats more sophisticated, it’s a challenge to keep any organisation’s online environment and physical infrastructure secure. Security services protect both the networks and services from attacks, but also help secure individuals using the networks. --------------------------------------------- https://connect.geant.org/2021/11/23/geant-launches-new-security-services-w… ∗∗∗ The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see. ∗∗∗ --------------------------------------------- TL;DR - In this blogpost, we will give you an introduction to DORA, as well as how you can prepare yourself to be ready for it. More specifically, throughout this blogpost we will try to formulate an answer to following questions: What is DORA and what are the key requirements of DORA? What are the biggest [...] --------------------------------------------- https://blog.nviso.eu/2021/11/23/the-digital-operational-resilience-act-dor… ∗∗∗ GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks ∗∗∗ --------------------------------------------- In part three of a series, GoSecure ethical hackers have found another way to exploit insecure Windows Server Update Services (WSUS) configurations. By taking advantage of the authentication provided by the Windows update client and relaying it to other domain services, we found this can lead to remote code execution. In this blog, we’ll share our findings and recommend mitigations. --------------------------------------------- https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-wind… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2021-0027 ∗∗∗ --------------------------------------------- VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0027.html ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- XSA-385 - guests may exceed their designated memory limit XSA-387 - grant table v2 status pages may remain accessible after de-allocation (take two) XSA-388 - PoD operations on misaligned GFNs XSA-389 - issues with partially successful P2M updates on x86 --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security. --------------------------------------------- https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-php-dese… ∗∗∗ A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades ∗∗∗ --------------------------------------------- Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere --------------------------------------------- https://blog.talosintelligence.com/2021/11/a-review-of-azure-sphere.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mbedtls), Red Hat (kernel and rpm), and Ubuntu (freerdp2). --------------------------------------------- https://lwn.net/Articles/876723/ ∗∗∗ 0-Day LPE-Schwachstelle im Windows Installer (Nov. 2021) ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine eine 0-Day-Schwachstelle im Windows Installer gefunden, über die ein lokaler Angreifer Administratorrechte erlangen kann. Die Windows Installer Elevation of Privilege"-Schwachstelle CVE-2021-41379 ist zwar im November 2021 gepatcht worden. Aber es gibt eine Umgehungslösung, der Patch ist wirkungslos. Betroffen sind alle Windows-Versionen, einschließlich Windows 10, dass brandneue Windows 11 sowie alle Windows Server-Versionen. --------------------------------------------- https://www.borncity.com/blog/2021/11/23/0-day-lpe-schwachstelle-im-windows… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues within the IBM® Runtime Environment Java™ Technology Edition, Version 8 shipped with IBM MQ (CVE-2021-2432, CVE-2021-2388) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: Vulnerability in MIT Kerberos 5 (CVE-2020-28196) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mit-kerb… ∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2018-17199 and CVE-2020-11993) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-h… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat (CVE-2021-42340) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing messages. (CVE-2021-38875) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Vulnerability in Bash (CVE-2019-18276) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-cve… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in glib2 (CVE-2021-27218 and CVE-2021-27219) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-glib2-cv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2021
by Daily end-of-shift report 22 Nov '21

22 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-11-2021 18:00 − Montag 22-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Picky PPID Spoofing ∗∗∗ --------------------------------------------- Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships. --------------------------------------------- https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html ∗∗∗ Command injection prevention for Python ∗∗∗ --------------------------------------------- This is a command/code injection prevention cheat sheet by r2c. It contains code patterns of potential ways to run an OS command or arbitrary code in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigates the possibility of command/code injection in your code. --------------------------------------------- https://semgrep.dev/docs/cheat-sheets/python-command-injection/ ∗∗∗ Missing Link: Wie sicher ist der Anonymisierungsdienst Tor? ∗∗∗ --------------------------------------------- Tor gilt als Wunderwaffe gegen den Überwachungswahn von Geheimdiensten. Wie gut lässt sich die Technologie knacken? Ist Tor tatsächlich NSA- und BND-proof? --------------------------------------------- https://heise.de/-6272025 ∗∗∗ Virtuelle Mobilfunknetze mit Open RAN: BSI sieht Sicherheitsrisiken ∗∗∗ --------------------------------------------- Mehr "Security by Design" empfehlen die Autoren einer Risikoanalyse des BSI für die Weiterentwicklung von Open RAN – nachträgliche Korrekturen seien aufwändig. --------------------------------------------- https://heise.de/-6274060 ∗∗∗ UEFI virtual machine firmware hardening through snapshots and attack surface reduction. (arXiv:2111.10167v1 [cs.SE]) ∗∗∗ --------------------------------------------- This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction. --------------------------------------------- http://arxiv.org/abs/2111.10167 ∗∗∗ Oh ... Ransomware verschlüsselt meine virtuellen Maschinen direkt im Hypervisor ... Wie jetzt? ∗∗∗ --------------------------------------------- Viele Ransomware- oder Ransomware-as-a-Service (RaaS)- Gruppen besitzen inzwischen die Fähigkeit, virtuelle Maschinen direkt auf Hypervisor-Ebene zu verschlüsseln. Das heisst, es sind nicht einzelne Clients, Workstations oder Server auf Windows Betriebsystem-Ebene, sondern alle Maschinen, die virtualisiert - auf zum Beispiel VMware ESXi oder Microsoft Hyper-V - laufen, gleichzeitig betroffen. Die Cybersecurityfirma Crowdstrike hat dieser Thematik zwei interessante Blog-Posts gewidmet --------------------------------------------- https://cert.at/de/blog/2021/11/oh-ransomware-verschlusselt-meine-virtuelle… ∗∗∗ NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-rele… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. CVEs: CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923, CVE-2021-21915, CVE-2021-21916, CVE-2021-21917, CVE-2021-21918, CVE-2021-21919, CVE-2021-21910, CVE-2021-21911, CVE-2021-21912 --------------------------------------------- http://blog.talosintelligence.com/2021/11/re-see-net-advantched-vuln-spotli… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firebird3.0, libmodbus, and salt), Fedora (js-jquery-ui and wordpress), Mageia (arpwatch, chromium-browser-stable, php, rust, and wireshark), openSUSE (barrier, firefox, hylafax+, opera, postgresql12, postgresql13, postgresql14, and tomcat), SUSE (ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma, ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma, firefox, kernel, postgresql, postgresql13, postgresql14, postgresql10, postgresql12, postgresql13, postgresql14, postgresql96, and samba), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/876655/ ∗∗∗ Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications ∗∗∗ --------------------------------------------- Talos has published 18 separate advisories describing the vulnerabilities. The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15. --------------------------------------------- https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-des… ∗∗∗ ZDI-21-1332: Commvault CommCell AppStudioUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1332/ ∗∗∗ ZDI-21-1331: Commvault CommCell Demo_ExecuteProcessOnGroup Exposed Dangerous Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1331/ ∗∗∗ ZDI-21-1330: Commvault CommCell DownloadCenterUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1330/ ∗∗∗ ZDI-21-1329: Commvault CommCell DataProvider JavaScript Sandbox Escape Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1329/ ∗∗∗ ZDI-21-1328: Commvault CommCell CVSearchService Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1328/ ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2021
by Daily end-of-shift report 19 Nov '21

19 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-11-2021 18:00 − Freitag 19-11-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitsbedrohungen im Web: Die größten Risiken laut OWASP Top Ten 2021 ∗∗∗ --------------------------------------------- Die OWASP Top Ten 2021 aktualisiert die Liste der Sicherheitsbedrohungen im Web. Defekte Zugriffsbeschränkungen stehen an erster Stelle. --------------------------------------------- https://heise.de/-6271591 ∗∗∗ Qnap veröffentlicht NAS-Updates und deaktiviert aus Sicherheitsgründen eine App ∗∗∗ --------------------------------------------- Angreifer könnten Netzwerkspeicher von Qnap attackieren. Der Sicherheitspatch für eine Lücke steht noch aus. --------------------------------------------- https://heise.de/-6272271 ∗∗∗ Azure Active Directory: Sicherheitslücke entblößt private Schlüssel ∗∗∗ --------------------------------------------- In Azure Automation waren private Schlüssel für jeden Nutzer des AD einsehbar. Obwohl Microsoft das Problem gelöst hat, ist ein Schlüsseltausch angeraten. --------------------------------------------- https://heise.de/-6272248 ∗∗∗ ProxyNoShell: Mandiant warnt vor neuen Angriffsmethoden auf Exchange-Server (Nov. 2021) ∗∗∗ --------------------------------------------- Cyber-Angreifer verwenden seit Monaten drei bekannte Schwachstellen in Microsofts Exchange Servern, für die es bereits seit Monaten Updates gibt. Trotzdem sind um die 30.000 Microsoft Exchange Sever per Internet erreichbar, die über diese Schwachstellen angreifbar sind. Sicherheitsforscher haben jetzt eine [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/19/proxynoshell-mandiant-warnt-vor-ne… ∗∗∗ Malware downloaded from PyPI 41,000 times was surprisingly stealthy ∗∗∗ --------------------------------------------- Malware infiltrating open source repositories is getting more sophisticated. --------------------------------------------- https://arstechnica.com/?p=1814211 ∗∗∗ Android malware BrazKing returns as a stealthier banking trojan ∗∗∗ --------------------------------------------- The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-brazking-ret… ∗∗∗ Ransomware Phishing Emails Sneak Through SEGs ∗∗∗ --------------------------------------------- The MICROP ransomware spreads via Google Drive and locally stored passwords. --------------------------------------------- https://threatpost.com/ransomware-phishing-emails-segs/176470/ ∗∗∗ Downloader Disguised as Excel Add-In (XLL), (Fri, Nov 19th) ∗∗∗ --------------------------------------------- At the Internet Storm Center, we like to show how exotic extensions can be used to make victims feel confident to open malicious files. There is an interesting webpage that maintains a list of dangerous extensions used by attackers: filesec.io[1]. The list is regularly updated and here is an example of malicious file that is currently not listed: "XLL". It's not a typo, it's not a "DLL" but close to! --------------------------------------------- https://isc.sans.edu/diary/rss/28052 ∗∗∗ New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks ∗∗∗ --------------------------------------------- Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers Keyu Man, Xin'an Zhou, and Zhiyun Qian said. --------------------------------------------- https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html ∗∗∗ Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure ∗∗∗ --------------------------------------------- Security researchers have checked the webs public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/11/19/web_trust_ce… ∗∗∗ Patch now! FatPipe VPN zero-day actively exploited ∗∗∗ --------------------------------------------- The FBI has revealed that APT actors have been abusing a zero-day in FatPipes MPVPN, WARP, and IPVPN products since May. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-no… ∗∗∗ New Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency Addresses ∗∗∗ --------------------------------------------- Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. Weve recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites. In this latest campaign, operators deployed clipboard hijacking code that replaces a [...] --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/aggah-clipboard-hija… ∗∗∗ Ransomware is now a giant black hole that is sucking in all other forms of cybercrime ∗∗∗ --------------------------------------------- File-encrypting malware is where the money is -- and thats changing the whole online crime ecosystem. --------------------------------------------- https://www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-… ∗∗∗ All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients ∗∗∗ --------------------------------------------- [...] Team82’s research uncovered four vulnerabilities in popular industrial VPN solutions from vendors HMS Industrial Networks, Siemens, PerFact, and MB connect line. The vulnerabilities expose users to remote and arbitrary code execution attacks, and also enable attackers to elevate privileges. All four vendors have either provided a fix in an updated version of their respective products, or suggested mitigations. --------------------------------------------- https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwni… ∗∗∗ Kernel Karnage – Part 4 (Inter(ceptor)mezzo) ∗∗∗ --------------------------------------------- To make up for the long wait between parts 2 and 3, we’re releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. --------------------------------------------- https://blog.nviso.eu/2021/11/19/kernel-karnage-part-4-interceptormezzo/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletin: Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- A vulnerability in the sed command could allow an authenticated attacker to escape from a restricted shell to obtain sensitive information and cause a denial of service. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sed-affe… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2021-29843 ∗∗∗ --------------------------------------------- IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. The issue is described by CVE-2021-29843. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Xen Security Advisory CVE-2021-28710 / XSA-390 - certain VT-d IOMMUs may not work in shared page table mode ∗∗∗ --------------------------------------------- Impact: A malicious guest may be able to escalate its privileges to that of the host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-390.html ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-user-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird). --------------------------------------------- https://lwn.net/Articles/876528/ ∗∗∗ QNX-2021-002 Vulnerability in BMP Image Codec Impacts BlackBerry QNX Software Development Platform (SDP) ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ K48382137: Bootstrap vulnerability CVE-2018-14040 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48382137 ∗∗∗ K19785240: Bootstrap vulnerability CVE-2018-14042 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19785240 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2021
by Daily end-of-shift report 18 Nov '21

18 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-11-2021 18:00 − Donnerstag 18-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PerSwaysion Phishing Campaign Continues to Be an Active Threat for Organizations ∗∗∗ --------------------------------------------- Research shows that multiple attack groups have been using the Microsoft file-sharing service - leveraging phishing kit for much longer than previously thought. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/-perswaysion-phishing-c… ∗∗∗ Fake Ransomware Infection Hits WordPress Sites ∗∗∗ --------------------------------------------- WordPress sites have been splashed with ransomware warnings that are as real as dime-store cobwebs made out of spun polyester. --------------------------------------------- https://threatpost.com/fake-ransomware-infection-wordpress/176410/ ∗∗∗ Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs ∗∗∗ --------------------------------------------- Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property. [...] As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,”... --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/11/17/guidance-for-azure-active-di… ∗∗∗ [Conti] Ransomware Group In-Depth Analysis ∗∗∗ --------------------------------------------- Providing a detailed perspective towards different fundamental aspects of Conti's Operation, our report approaches this case through different angles such as "Business Model", "Conti Attack Kill Chain", "Management Panel" and "Money Operation". --------------------------------------------- https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analys… ∗∗∗ Portable Malware Analyzis Lab ∗∗∗ --------------------------------------------- Short tutorial about the installation of a malware analyzis lab on Proxmox. --------------------------------------------- https://blog.rootshell.be/2021/11/17/portable-malware-analyzis-lab/ ∗∗∗ New ETW Attacks Can Allow Hackers to Blind Security Products ∗∗∗ --------------------------------------------- Researchers have described two new attack methods that can be used to “blind” cybersecurity products that rely on a logging mechanism named Event Tracing for Windows (ETW). ETW, which is present by default in Windows since Windows XP, is designed for tracing and logging events associated with user-mode applications and kernel-mode drivers. --------------------------------------------- https://www.securityweek.com/new-etw-attacks-can-allow-hackers-blind-securi… ∗∗∗ biovea.net und biovea.com: Häufig Probleme bei Bestellungen ∗∗∗ --------------------------------------------- Biovea bietet auf den Websites biovea.net und biovea.com diverse Nahrungsergänzungsmittel, Körperpflegeprodukte und Waren aus dem Gesundheitsbereich an. Bestellte Produkte werden tatsächlich versandt, doch fehlende Kontaktinformationen, Versand teils aus Amerika und der Import der Produkte beim Zoll können zu zahlreichen Problemen für Bestellende führen. --------------------------------------------- https://www.watchlist-internet.at/news/bioveanet-und-bioveacom-haeufig-prob… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011 ∗∗∗ --------------------------------------------- 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to --------------------------------------------- https://www.drupal.org/sa-core-2021-011 ∗∗∗ Drupal: OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044 ∗∗∗ --------------------------------------------- 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default This module enables users to authenticate through their Microsoft Azure AD account.The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another --------------------------------------------- https://www.drupal.org/sa-contrib-2021-044 ∗∗∗ Vulnerability Spotlight: Multiple code execution vulnerabilities in LibreCAD ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in LibreCAD’s libdfxfw open-source library. This library reads and writes .dxf and .dwg files — the primary file format for vector graphics in CAD software. LibreCAD, a free computer-aided design software for 2-D models, uses this libdfxfw. [...] Users are encouraged to update these affected products as soon as possible: LibreCad libdxfrw, version 2.2.0-rc2-19-ge02f3580. Talos tested and confirmed these versions of the library could be exploited by this vulnerability. --------------------------------------------- http://blog.talosintelligence.com/2021/11/libre-cad-vuln-spotlight-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils). --------------------------------------------- https://lwn.net/Articles/876413/ ∗∗∗ Reflected XSS Vulnerability in Ragic Cloud DB ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic. To secure your device, we recommend uninstalling Ragic Cloud DB until a security patch is available. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-48 ∗∗∗ CSRF Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in. We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 (2021/08/25) and later --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-49 ∗∗∗ Heap-Based Buffer Overflow Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- A heap-based buffer overflow vulnerability has been reported to affect QNAP NAS devices that have Apple File Protocol (AFP) enabled in QTS or QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS and QuTS hero: [...] --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-50 ∗∗∗ Security Bulletin: Vulnerabilitiy affects IBM Observability with Instana ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-affects-ib… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Philips IntelliBridge EC 40 and EC 80 Hub ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-322-01 ∗∗∗ Philips Patient Information Center iX (PIC iX) and Efficia CM Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-322-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2021
by Daily end-of-shift report 17 Nov '21

17 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-11-2021 18:00 − Mittwoch 17-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ These are the cryptomixers hackers use to clean their ransoms ∗∗∗ --------------------------------------------- Cryptomixers have always been at the epicenter of cybercrime activity, allowing hackers to "clean" cryptocurrency stolen from victims and making it hard for law enforcement to track them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/these-are-the-cryptomixers-h… ∗∗∗ 6 Tips To Keep in Mind for Ransomware Defense ∗∗∗ --------------------------------------------- Ransomware is everywhere, including the nightly news. Most people know what it is, but how do ransomware attackers get in, and how can we defend against them? --------------------------------------------- https://www.darkreading.com/edge-articles/6-tips-to-keep-in-mind-for-ransom… ∗∗∗ Github: NPM-Pakete konnten beliebig überschrieben werden ∗∗∗ --------------------------------------------- Ein Fehler in der NPM-Registry hat das Überschreiben von Paketen ermöglicht. Github weiß nicht sicher, ob dies ausgenutzt wurde. --------------------------------------------- https://www.golem.de/news/github-npm-pakete-konnten-beliebig-ueberschrieben… ∗∗∗ Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma ∗∗∗ --------------------------------------------- Thanks to the work of Google’s TAG team, we were able to grab two versions of the backdoor used by the threat actors, which we will label UserAgent 2019 and UserAgent 2021. --------------------------------------------- https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-target… ∗∗∗ Lücken in Industrie-IoT-Protokoll ermöglichen Fremdsteuerung ∗∗∗ --------------------------------------------- Implementierungen eines Datenaustauschprotokolls für industrielle Steuerungen sind anfällig für Manipulationen, die zu Schäden führen könnten. --------------------------------------------- https://heise.de/-6268372 ∗∗∗ Bestellung auf fotoexperte24.de führt in Abo-Falle! ∗∗∗ --------------------------------------------- Auf der Webseite fotoexperte24.de können günstige Passbilder für verschiedene Ausweise bestellt werden. Doch tatsächlich handelt es sich um einen Fake-Shop, der keine Bilder liefert. Stattdessen bucht der unseriöse Anbieter deutlich mehr Geld von der Kreditkarte ab als beim Bestellprozess angezeigt wurde. --------------------------------------------- https://www.watchlist-internet.at/news/bestellung-auf-fotoexperte24de-fuehr… ∗∗∗ Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 ∗∗∗ --------------------------------------------- Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffi… ∗∗∗ ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities ∗∗∗ --------------------------------------------- In several recent Incident Response engagements, Mandiant has observed threat actors exploiting the vulnerabilities in different ways than previously reported. --------------------------------------------- https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. Davon wird eine als "Kritisch", sechs als "High", und acht als "Medium" eingestuft. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr). --------------------------------------------- https://lwn.net/Articles/876327/ ∗∗∗ Netgear patches severe pre-auth RCE in 61 router and modem models ∗∗∗ --------------------------------------------- Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year. --------------------------------------------- https://therecord.media/netgear-deals-with-its-fifth-wave-of-severe-rce-bug… ∗∗∗ ZDI-21-1320: Trend Micro Antivirus for Mac Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1320/ ∗∗∗ ZDI-21-1319: (0Day) Autodesk Design Review PNG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1319/ ∗∗∗ ZDI-21-1317: (0Day) Autodesk Design Review PDF File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1317/ ∗∗∗ ZDI-21-1316: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1316/ ∗∗∗ ZDI-21-1315: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1315/ ∗∗∗ Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Common Services Platform Collector SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WooCommerce Extension – Reflected XSS Vulnerability ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-… ∗∗∗ Synology-SA-21:29 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_29 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-320-01 ∗∗∗ Mitsubishi Electric GOT products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-320-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2021
by Daily end-of-shift report 16 Nov '21

16 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-11-2021 18:00 − Dienstag 16-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Malware: Emotet ist zurück ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine neue Variante von Emotet entdeckt. Noch wird der Schädling von einer anderen Malware nachgeladen. --------------------------------------------- https://www.golem.de/news/malware-emotet-ist-zurueck-2111-161124-rss.html ∗∗∗ Windows Sonder-Updates gegen DC-Authentifizierungsprobleme und Druckprobleme ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom November für Windows verursachen teils Authentifizierungsprobleme bei Domain Controllern sowie Druckprobleme. Microsoft patcht nach. --------------------------------------------- https://heise.de/-6267784 ∗∗∗ Fake Ransomware Infection Spooks Website Owners ∗∗∗ --------------------------------------------- Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “FOR RESTORE SEND 0.1 BITCOIN” were sitting at 6 last week and increased to 291 at the time of writing this. --------------------------------------------- https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-ow… ∗∗∗ GitHub Confirms Another Major NPM Security Defect ∗∗∗ --------------------------------------------- Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain. --------------------------------------------- https://www.securityweek.com/github-confirms-another-major-npm-security-def… ∗∗∗ Black Friday: Vorsicht vor Fake-Angeboten ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday. Und darauf folgt am 29. November schon der Cyber Monday - für Schnäppchenjäger wahre Shopping-Feiertage. Wir raten aber zur Vorsicht: Nicht nur seriöse Anbieter locken mit günstigen Preisen und Rabatten, auch Fake-Shops werben mit Black Friday Angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/black-friday-vorsicht-vor-fake-angeb… ∗∗∗ An update on the state of the NIS2 draft ∗∗∗ --------------------------------------------- This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th. This is not a complete review of the current state of the NIS2 discussions. --------------------------------------------- https://cert.at/en/blog/2021/11/an-update-on-the-state-of-the-nis2-draft ∗∗∗ New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks ∗∗∗ --------------------------------------------- [...] today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/16/new-federal-gover… ∗∗∗ A new Android banking trojan named SharkBot is makings its presence felt ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts. --------------------------------------------- https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-maki… ∗∗∗ New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk ∗∗∗ --------------------------------------------- Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin [...] --------------------------------------------- https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-att… ∗∗∗ Kernel Karnage – Part 3 (Challenge Accepted) ∗∗∗ --------------------------------------------- [...] The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that didn’t impress our blue team, so I received a challenge to bypass $vendor2. I have to admit, after trying all week to get around the protections, $vendor2 is definitely a bigger beast to tame. --------------------------------------------- https://blog.nviso.eu/2021/11/16/kernel-karnage-part-3-challenge-accepted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/876227/ ∗∗∗ Synology-SA-21:28 Mail Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_28 ∗∗∗ AMD Windows 10-Grafiktreiber mit Schwachstellen (Nov. 2021) ∗∗∗ --------------------------------------------- Nutzer mit AMD-Grafikkarten und Windows 10 sollten sich mit dem Thema Aktualisierung von AMD-Grafiktreibern befassten. Der Hersteller hat eingestanden, dass seine Windows 10-Grafiktreiber zahlreiche Sicherheitslücken aufweisen. Einige Schwachstellen (z.B. im Grafiktreiber) werden als sicherheitstechnisch Hoch eingestuft. --------------------------------------------- https://www.borncity.com/blog/2021/11/16/amd-windows-10-treiber-mit-schwach… ∗∗∗ WAGO: Denial of Service Vulnerability in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-049/ ∗∗∗ WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-050/ ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-056/ ∗∗∗ Grafana: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1205 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1207 ∗∗∗ ZDI-21-1312: Open Design Alliance (ODA) ODAViewer DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1312/ ∗∗∗ ZDI-21-1311: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1311/ ∗∗∗ ZDI-21-1310: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1310/ ∗∗∗ Security Bulletin: A vulnerability in filesystem audit logging affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-filesy… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-mq-for-hp-n… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse (CVE-2020-27225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM MQ can inadvertently display cleartext credentials via diagnostic logs (CVE-2021-38949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-can-inadvertently-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2021
by Daily end-of-shift report 15 Nov '21

15 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-11-2021 18:00 − Montag 15-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ PSA: Apple isn’t actually patching all the security holes in older versions of macOS ∗∗∗ --------------------------------------------- Big Sur got a fix 234 days before Catalina did, although both are supported. --------------------------------------------- https://arstechnica.com/?p=1812611 ∗∗∗ FTC shares ransomware defense tips for small US businesses ∗∗∗ --------------------------------------------- The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to secure their networks from ransomware attacks by blocking threat actors attempts to exploit vulnerabilities using social engineering or exploits targeting technology. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-shares-ransomware-defens… ∗∗∗ Video: Obfuscated Maldoc: Reversed BASE64, (Sun, Nov 14th) ∗∗∗ --------------------------------------------- I made a video of the maldoc analysis I explained in yesterday's diary entry "Obfuscated Maldoc: Reversed BASE64". --------------------------------------------- https://isc.sans.edu/diary/rss/28032 ∗∗∗ Changing your AD Password Using the Clipboard - Not as Easy as Youd Think!, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Let me know if this scenario is familiar? [...] Microsoft won't allow you to paste a password into their GUI "password change". Apparantly Microsoft wants us to continue to use passwords like "Passw0rd1!" and "Winter2021!" forever, until all AD domains are "passwordless" --------------------------------------------- https://isc.sans.edu/diary/rss/28036 ∗∗∗ Microsoft Out of Band Update Resolves Kerberos Issue, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Since Patch Tuesday, we've been tracking a Kerboros issue in November's patch bundle that affected authentication in several deployment scenarios: [...] This was fixed out of band yesterday (November 14, 2021). If you have applied November's update and are affected, you'll want to apply the "November-take-two" update on any affected servers. --------------------------------------------- https://isc.sans.edu/diary/rss/28040 ∗∗∗ Exploiting CSP in Webkit to Break Authentication & Authorization ∗∗∗ --------------------------------------------- [...] Long story short, there was a vulnerability that we reported to Safari that Apple didn’t consider severe enough to fix quickly which then after waiting for a significant amount of time, we decided to exploit and earn some bounties by reporting them to bug bounty programs. --------------------------------------------- https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-… ∗∗∗ E-Mail-Server des FBI gehackt - für Fake-Warnungen über Cyber-Angriffe genutzt ∗∗∗ --------------------------------------------- Cyberkriminelle haben einen E-Mail-Server des FBI gekapert. Anschließend verschickten sie über 100.000 Spam-Mails mit einer Warnung vor einem Cyberangriff. --------------------------------------------- https://heise.de/-6266349 ∗∗∗ POC2021 – Pwning the Windows 10 Kernel with NFTS and WNF Slides ∗∗∗ --------------------------------------------- Alex Plaskett presented “Pwning the Windows 10 Kernel with NTFS and WNF” at Power Of Community (POC) on the 11th of November 2021. The abstract of the talk is as follows: A local privilege escalation vulnerability (CVE-2021-31956) 0day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad [...] --------------------------------------------- https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kern… ∗∗∗ Exchange Exploit Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. ProxyShell is a name given to [...] --------------------------------------------- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-… ∗∗∗ AutoPoC - Validating the Lack of Validation in PoCs ∗∗∗ --------------------------------------------- HoneyPoC was a project to look at how popular CVE PoCs could be. AutoPoC took that concept and enabled the mass creation of disinformation. Also, Data is beautiful. --------------------------------------------- https://blog.zsec.uk/honeypoc-ultimate/ ∗∗∗ AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits ∗∗∗ --------------------------------------------- AT&T Alien Labs™ has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp). --------------------------------------------- https://lwn.net/Articles/876135/ ∗∗∗ Security Bulletin: Use of a one way hash without a salt in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-use-of-a-one-way-hash-wit… ∗∗∗ Security Bulletin: Hazardous Input Validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38972) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Password stored in cleartext in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-password-stored-in-cleart… ∗∗∗ Security Bulletin: Missing http strict transport security header in in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38978) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-http-strict-trans… ∗∗∗ Security Bulletin: Cross-Site scripting in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38982) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-in-i… ∗∗∗ Security Bulletin: Missing cookie secure attribute in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38977) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-cookie-secure-att… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38985) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38983) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Using components with known vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-components-with-kno… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Denial of service in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38974) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Information exposure in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38975) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-in-i… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38984) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38981) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2021
by Daily end-of-shift report 12 Nov '21

12 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-11-2021 18:00 − Freitag 12-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom dichtet Sicherheitslücken in mehreren Produkten und Clients ab ∗∗∗ --------------------------------------------- In einigen Produkten des Webkonferenz-Anbieters Zoom hat der Hersteller Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6265648 ∗∗∗ Kriminelle versenden betrügerische Mails im Namen der Post! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche LeserInnen ein betrügerisches E-Mail, das im Namen der Post verschickt wird. Darin behaupten die Kriminellen, dass für eine Bestellung zusätzliche Einfuhrgebühren notwendig seien. Auch wenn Sie gerade auf ein Paket warten, sollten Sie bei solchen E-Mails skeptisch sein. In diesem Fall versuchen die BetrügerInnen an Ihr Geld zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-betruegerische-… ∗∗∗ HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks ∗∗∗ --------------------------------------------- HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-hi… ∗∗∗ Malware uses namesilo Parking pages and Googles custom pages to spread ∗∗∗ --------------------------------------------- Recently, we found a suspicious GoELFsample, which is a downloder mainly to spread mining malwares. The interesting part is that we noticed it using namesilos Parking page and Googles user-defined page to spread the sample and configuration. Apparently this is yet another attempt to hide control channel to avoid [...] --------------------------------------------- https://blog.netlab.360.com/zhatuniubility-malware-uses-namesilo-parking-pa… ∗∗∗ Murder-for-hire, money laundering, and more: How organised criminals work online ∗∗∗ --------------------------------------------- Europol has released an extensive report into serious and organized crime, including how these groups use the internet to aid in their criminal behaviour. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/11/murder-for-hire-money-launder… ∗∗∗ “We wait, because we know you.” Inside the ransomware negotiation economics. ∗∗∗ --------------------------------------------- Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside… ∗∗∗ Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch ∗∗∗ --------------------------------------------- A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed. --------------------------------------------- https://www.securityweek.com/researcher-shows-windows-flaw-more-serious-aft… ∗∗∗ When the alarms go off: 10 key steps to take after a data breach ∗∗∗ --------------------------------------------- It’s often said that data breaches are no longer a matter of ‘if’, but ‘when’ – here’s what your organization should do, and avoid doing, in the case of a security breach --------------------------------------------- https://www.welivesecurity.com/2021/11/11/alarms-go-off-10-steps-take-data-… ∗∗∗ Network Code on Cybersecurity is out for public consultation ∗∗∗ --------------------------------------------- The draft for the Network Code for cybersecurity aspects of cross-border electricity flows has been released today for public consultation. ENCS has collaborated on the writing of the Network Code as part of the drafting team. During the public consultation period, stakeholders within the energy sector have the opportunity of sharing their views on the [...] --------------------------------------------- https://encs.eu/news/network-code-on-cybersecurity-is-out-for-public-consul… ∗∗∗ Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records ∗∗∗ --------------------------------------------- Highlights: Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021 Numbers show a 178% increase compared to 2021 so far 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and [...] --------------------------------------------- https://blog.checkpoint.com/2021/11/12/number-of-malicious-shopping-website… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284) ∗∗∗ --------------------------------------------- Victure’s WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. Three vulnerabilities were uncovered, with links to the associated technical advisories below: [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), [...] --------------------------------------------- https://lwn.net/Articles/875931/ ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- This advisory contains mitigation for Stack-based Buffer Overflow, and Out-of-bounds Write vulnerabilities in WECON PLC Editor ladder logic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-01 ∗∗∗ Multiple Data Distribution Service (DDS) Implementations ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in Multiple Data Distribution Service (DDS) Implementations developed by a number of different vendors. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02 ∗∗∗ VMware Releases Security Update for Tanzu Application Service for VMs ∗∗∗ --------------------------------------------- VMware has released a security update to address a vulnerability in Tanzu Application Service for VMs. A remote attacker could exploit this vulnerability to cause a denial-of-service condition. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0026 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/vmware-releases-s… ∗∗∗ SYSS-2021-057: Open Redirect durch HTML Injection in Cryptshare ∗∗∗ --------------------------------------------- Im Cryptshare-Server besteht eine Schwachstelle. Sie erlaubt Angreifenden, die Empfänger einer manipulierten Nachricht auf beliebige Seiten weiterzuleiten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-057-open-redirect-durch-html-inj… ∗∗∗ Unlimited Sitemap Generator vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN58407606/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1201 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily