- Daily - CERT.at

Tageszusammenfassung - 11.11.2021
by Daily end-of-shift report 11 Nov '21

11 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-11-2021 18:00 − Donnerstag 11-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more! ∗∗∗ --------------------------------------------- The crooks have shown that the'yre willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too. --------------------------------------------- https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/ ∗∗∗ Understanding .htaccess Malware ∗∗∗ --------------------------------------------- The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless. Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server [...] --------------------------------------------- https://blog.sucuri.net/2021/11/understanding-htaccess-malware.html ∗∗∗ A Detailed Analysis of Lazarus’ RAT Called FALLCHILL ∗∗∗ --------------------------------------------- FALLCHILL is a RAT that has been used by Lazarus Group since 2016. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime. --------------------------------------------- https://lifars.com/knowledge-center/a-detailed-analysis-of-lazarus-rat-call… ∗∗∗ The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. ∗∗∗ --------------------------------------------- Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way...The post The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. appeared first on McAfee Blogs. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-a… ∗∗∗ ClusterFuzzLite: Continuous fuzzing for all ∗∗∗ --------------------------------------------- Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST’s guidelines for software verification, recently released in response to the White House Executive Order on --------------------------------------------- http://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-f… ∗∗∗ HändlerInnen aufgepasst: BetrügerInnen geben Fake-Bestellungen im Namen von ATOS auf ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als das Unternehmen ATOS aus und bekunden per Mail Interesse an einer Großbestellung. Für die betroffenen HändlerInnen mag das nach einem schnellen und leichten Geschäft klingen, doch tatsächlich hat die seriöse Firma ATOS nichts mit dieser Bestellung am Hut. Stattdessen würden Sie ihre Produkte an Kriminelle versenden, Geld dafür erhalten Sie nicht. --------------------------------------------- https://www.watchlist-internet.at/news/haendlerinnen-aufgepasst-betruegerin… ∗∗∗ Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications ∗∗∗ --------------------------------------------- [...] In simple terms, capability abstraction provides a way to describe how a given attack technique interacts with the internal components of a targeted system. The abstraction map that this process produces helps us to understand the common denominator between distinct implementations of the same technique. --------------------------------------------- https://posts.specterops.io/capability-abstraction-case-study-detecting-mal… ∗∗∗ A Peek into Top-Level Domains and Cybercrime ∗∗∗ --------------------------------------------- We analyze which top-level domains (TLDs) have the highest rate of malicious domains and why, and suggest strategies for blocking malicious domains. --------------------------------------------- https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ ∗∗∗ BazarBackdoor now abuses Windows 10 apps feature in call me back attack ∗∗∗ --------------------------------------------- AppInstaller.exe has been twisted in a new form of phishing attack. --------------------------------------------- https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-apps-featur… ∗∗∗ October 2021’s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time ∗∗∗ --------------------------------------------- Check Point Research reveals that Trickbot is the most prevalent malware and a new vulnerability in Apache is one of the most exploited vulnerabilities worldwide. --------------------------------------------- https://blog.checkpoint.com/2021/11/11/october-2021s-most-wanted-malware-tr… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1303: NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1303/ ∗∗∗ Wordpress-Plug-in WP Reset Pro fixt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In WP Reset Pro klaffte eine Sicherheitslücke, durch die angemeldete Nutzer auch ohne entsprechende Rechte ganze Wordpress-Webauftritte löschen konnten. --------------------------------------------- https://heise.de/-6264564 ∗∗∗ Sicherheitsupdate: Kritische Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗ --------------------------------------------- Sind bestimmte Einstellungen aktiviert und Voraussetzungen gegeben, könnten Angreifer Palo-Alto-Firewalls attackieren. --------------------------------------------- https://heise.de/-6264656 ∗∗∗ Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin ∗∗∗ --------------------------------------------- On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” [...] --------------------------------------------- https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py). --------------------------------------------- https://lwn.net/Articles/875813/ ∗∗∗ iCloud for Windows 13 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212953 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by Cross-Site Scripting (CVE-2020-4140) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by vulnerability CVE-2020-4146 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ VMSA-2021-0026 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0026.html ∗∗∗ NGINX Ingress Controller vulnerability CVE-2021-23055 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01051452?utm_source=f5support&utm_mediu… ∗∗∗ Micropatching Incompletely Patched Local Privilege Escalation in User Profile Service (CVE-2021-34484) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html ∗∗∗ Stack Buffer Overflow Vulnerability in Multimedia Console ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-45 ∗∗∗ Reflected XSS Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-47 ∗∗∗ TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-64 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2021
by Daily end-of-shift report 10 Nov '21

10 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-11-2021 18:00 − Mittwoch 10-11-2021 18:00 Handler: Stephan Richter Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Researcher Details Vulnerabilities Found in AWS API Gateway ∗∗∗ --------------------------------------------- AWS fixed the security flaws that left the API service at risk of so-called HTTP header-smuggling attacks, says the researcher who discovered them. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/researcher-details-vuln… ∗∗∗ Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog ∗∗∗ --------------------------------------------- Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox. All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0. --------------------------------------------- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by… ∗∗∗ Patchday: Microsoft warnt vor Attacken auf Excel und Exchange ∗∗∗ --------------------------------------------- Abermals haben es Angreifer Exchange Server abgesehen. Außerdem gibt es wichtige Sicherheitsupdates für Azure, Office, Windows & Co. --------------------------------------------- https://heise.de/-6263036 ∗∗∗ Patchday: SAP schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Am Patch-Tuesday hat auch SAP Aktualisierungen für seine Produkte veröffentlicht. Ein Fix behandelt eine kritische Lücke im ABAP Platform Kernel. --------------------------------------------- https://heise.de/-6263099 ∗∗∗ Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton ∗∗∗ --------------------------------------------- Today, we’re disclosing another 10 vulnerabilities in Azure Sphere — two of which are on the Linux side, seven that exist in Security Monitor and one in the Pluton security subsystem. --------------------------------------------- https://blog.talosintelligence.com/2021/11/cisco-talos-finds-10-vulnerabili… ∗∗∗ Achtung: Momentan kursieren zahlreiche E-Mails mit Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte E-Mails im Namen von Electrolux, Weitzer Parkett Vertriebs GmbH und der TU Wien. Wer ein komisches E-Mail mit der Aufforderung einen Anhang zu öffnen erhält, sollte besonders vorsichtig sein. Im Anhang befindet sich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-momentan-kursieren-zahlreich… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Server Vulnerabilities – November 2021 ∗∗∗ --------------------------------------------- During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Platform Security Processor (PSP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD EPYC™ AGESA™ PI packages. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Cloud Pak for Multicloud Management Infrastructure Management, Cloud Pak for Multicloud Management Managed Services, Rational Business Developer, InfoSphere Information Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Open Design Alliance (ODA) Security Advisories ∗∗∗ --------------------------------------------- ODA PRC SDK, Drawings SDK, ODA Viewer --------------------------------------------- https://www.opendesign.com/security-advisories ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-8 and samba), Fedora (community-mysql, firefox, and vim), openSUSE (binutils, kernel, and tinyxml), Red Hat (annobin, autotrace, babel, bind, binutils, bluez, compat-exiv2-026, container-tools:2.0, container-tools:3.0, container-tools:rhel8, cups, curl, dnf, dnsmasq, edk2, exiv2, file, file-roller, firefox, gcc, gcc-toolset-10-annobin, gcc-toolset-10-binutils, gcc-toolset-10-gcc, gcc-toolset-11-annobin, gcc-toolset-11-binutils,[...] --------------------------------------------- https://lwn.net/Articles/875708/ ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/adobe-releases-se… ∗∗∗ BSRT-2021-003 Vulnerabilities Impact BlackBerry Protect for Windows ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-21-1302: Ivanti Avalanche EnterpriseServer Service SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1302/ ∗∗∗ ZDI-21-1301: Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1301/ ∗∗∗ ZDI-21-1300: Ivanti Avalanche User Management Improper Authentication Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1300/ ∗∗∗ ZDI-21-1299: Ivanti Avalanche Filestore Management Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1299/ ∗∗∗ ZDI-21-1298: Ivanti Avalanche JNLP File Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1298/ ∗∗∗ Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signa… ∗∗∗ INTEL-SA-00481 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00560 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00568 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00569 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00567 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ VMSA-2021-0025 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0025.html ∗∗∗ Samba 4.15.2, 4.14.10, 4.13.14 security releases available ∗∗∗ --------------------------------------------- https://lwn.net/Articles/875565/ ∗∗∗ Philips MRI 1.5T and 3T ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01 ∗∗∗ OSIsoft PI Vision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06 ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2021 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500449-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp Clustered Data ONTAP Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500448-NETAPP-CLUSTERED-DATA-O… ∗∗∗ Realtek Driver Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500447-REALTEK-DRIVER-PRIVILEG… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2021) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500446-MULTI-VENDOR-BIOS-SECUR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2021
by Daily end-of-shift report 09 Nov '21

09 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-11-2021 18:00 − Dienstag 09-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus ∗∗∗ --------------------------------------------- Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-ex… ∗∗∗ Abcbot, an evolving botnet ∗∗∗ --------------------------------------------- Business on the cloud and security on the cloud is one of the industry trends in recent years. 360Netlab is also continuing to focus on security incidents and trends on the cloud from its own expertise in the technology field. The following is a recent security incident we observed, --------------------------------------------- https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/ ∗∗∗ (Ab)Using Security Tools & Controls for the Bad, (Mon, Nov 8th) ∗∗∗ --------------------------------------------- As security practitioners, we give daily advice to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this function, etc. When enabled, these techniques can also be (ab)used by attackers to perform nasty actions. --------------------------------------------- https://isc.sans.edu/diary/rss/28014 ∗∗∗ WooCommerce Skimmer Spoofs Checkout Page ∗∗∗ --------------------------------------------- Recently a client of ours was reporting a bogus checkout page appearing on their website. When trying to access their “my-account” page an unfamiliar prompt appeared in their browser soliciting credit card billing information: This form was foreign to our client and was clearly placed during a website compromise. Interestingly, the website itself doesn’t even accept payments at all. If this was an attempt at a targeted credit card theft infection (as quite a few of them are) [...] --------------------------------------------- https://blog.sucuri.net/2021/11/woocommerce-skimmer-spoofs-checkout-page.ht… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Security Flaws ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released a total of 20 Patch Tuesday advisories to address more than 50 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ „media-markt-outlet.de“ ist Fake ∗∗∗ --------------------------------------------- Die Webseite media-markt-outlet.de gibt vor, ein Outlet-Store von Media Markt zu sein. Da es sich bei diesem Fake-Shop angeblich um ein Outlet handelt, erscheinen die günstigen Preise auf dem ersten Blick nicht untypisch. Doch Vorsicht: media-markt-outlet.de ist Fake - Sie erhalten trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-outletde-ist-fake/ ∗∗∗ The Invisible JavaScript Backdoor ∗∗∗ --------------------------------------------- A few months ago we saw a post on the r/programminghorror subreddit: A developer describes the struggle of identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. This post inspired an idea: What if a backdoor literally cannot be seen and thus evades detection even from thorough code reviews? --------------------------------------------- https://certitude.consulting/blog/en/invisible-backdoor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf CMS Sitecore Experience Platform beobachtet ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf eine Schadcode-Lücke im Content Management System Sitecore XP abgesehen. Sicherheitspatches gibt es bereits seit Oktober 2021. --------------------------------------------- https://heise.de/-6262157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, grafana, jenkins, opera, and thunderbird), Debian (botan1.10 and ckeditor), openSUSE (chromium, kernel, qemu, and rubygem-activerecord-5_1), SUSE (qemu and rubygem-activerecord-5_1), and Ubuntu (docker.io, kernel, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/875531/ ∗∗∗ Adobe Patches Critical RoboHelp Server Security Flaw ∗∗∗ --------------------------------------------- Software maker Adobe on Tuesday released patches to cover at least four documented security defects that expose users to malicious hacker attacks. The most serious of the flaw was addressed in RoboHelp Server and is rated “critical” because it exposes corporate environments to arbitrary code execution attacks. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-robohelp-server-securit… ∗∗∗ IPAS: Security Advisories for November 2021 ∗∗∗ --------------------------------------------- Hi everyone, Today we released 25 security advisories addressing 72 vulnerabilities. Through our internal security research and the investment we make in our bug bounty programs, 96% of the issues being addressed today are the result of our proactive product security assurance efforts. Given that almost half of today’s advisories address drivers in various components, [...] --------------------------------------------- https://blogs.intel.com/technology/2021/11/intel-security-advisories-for-no… ∗∗∗ NUCLEUS:13 vulnerabilities impact Siemens medical & industrial equipment ∗∗∗ --------------------------------------------- Security researchers have disclosed today a set of 13 vulnerabilities that impact a crucial Siemens software library that is included with medical devices, automotive, and industrial systems. --------------------------------------------- https://therecord.media/nucleus13-vulnerabilities-impact-siemens-medical-in… ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX330728 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by CVE-2021-23509 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Compress Library affects IBM LKS ART and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (July 2021) affects IBM InfoSphere Information Server (CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-25648, CVE-2021-31535, CVE-2021-20305, CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-4152, CVE-2020-4160, CVE-2020-4153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Safer Payments v5.7 to v6.3 releases are affected by an OpenSSL Security Advisory (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-safer-payments-v5-7-t… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2021
by Daily end-of-shift report 08 Nov '21

08 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-11-2021 18:00 − Montag 08-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode ∗∗∗ --------------------------------------------- Die Betreiber des Paketmanagers npm warnen davor, dass Unbefugte die Pakete coa und rc trojanisiert haben. --------------------------------------------- https://heise.de/-6260153 ∗∗∗ Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer ∗∗∗ --------------------------------------------- A malicious campaign against ManageEngine ADSelfService Plus used Godzilla webshells, the NGLite backdoor and KdcSponge, a credential stealer. --------------------------------------------- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ ∗∗∗ Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice ∗∗∗ --------------------------------------------- Trend Micros ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DCs Thunderstruck on the contests third day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwn2own-printer-plays-ac-dc-… ∗∗∗ Sitecore XP RCE flaw patched last month now actively exploited ∗∗∗ --------------------------------------------- The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched… ∗∗∗ Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sun, Nov 7th) ∗∗∗ --------------------------------------------- I made a video showing the steps to take to decrypt Cobalt Strike traffic that I covered in my diary entry "Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory". --------------------------------------------- https://isc.sans.edu/diary/rss/28008 ∗∗∗ ICS Threat Hunting: “Theyre Shootin’ at the Lights!” - PART 2 ∗∗∗ --------------------------------------------- [...] In this PART 2 of the blog series we will: Identify several critical and targeted ICS assets to protect, Identify related data sources for those assets, Focus on aspects of threat intel to use for a hunt, Build a threat hunt package template to prepare for executing the actual hunt --------------------------------------------- https://www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights… ∗∗∗ TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access ∗∗∗ --------------------------------------------- NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the [...] --------------------------------------------- https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnera… ∗∗∗ DDoS Attack Trends for Q3 2021 ∗∗∗ --------------------------------------------- The third quarter of 2021 was a busy quarter for DDoS attackers. Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world. --------------------------------------------- https://blog.cloudflare.com/ddos-attack-trends-for-2021-q3/ ∗∗∗ ASEC Weekly Malware Statistics (October 25th, 2021 – October 31st, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 25th, 2021 (Monday) to October 31st, 2021 (Sunday). For the main category, info-stealer ranked top with 48.3%, followed by RAT (Remote Administration Tool) malware with 24.5%, Downloader with 18.3%, Backdoor malware with 4.6%, Ransomware with 4.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/28464/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/875420/ ∗∗∗ Security Bulletin:Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinmultiple-security-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting in Guardium STAP vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: XSS vulerability in Dojo affects IBM Tivoli Business Service Manager (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulerability-in-dojo-… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerable to a denial of service attack (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Apache Commons FileUpload vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2014-0034, CVE-2014-0050, CVE-2013-2186, CVE-2016-3092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-commons-f… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2021
by Daily end-of-shift report 05 Nov '21

05 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-11-2021 18:00 − Freitag 05-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing emails deliver spooky zombie-themed MirCop ransomware ∗∗∗ --------------------------------------------- A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-deliver-spoo… ∗∗∗ Bluetooth-Lücken Braktooth: Das Patchen geht nur schleppend voran ∗∗∗ --------------------------------------------- Für Braktooth-Attacken anfällige Bluetooth-Geräte könnten zeitnah in den Fokus von Angreifern rücken. Patches sind noch längst nicht flächendeckend verfügbar. --------------------------------------------- https://heise.de/-6254474 ∗∗∗ SSL certificate research highlights pitfalls for company data, competition ∗∗∗ --------------------------------------------- Analysis reveals hidden risks for organizations that do not monitor their certificate usage. --------------------------------------------- https://www.zdnet.com/article/ssl-certificate-research-highlights-pitfalls-… ∗∗∗ The IoT is getting a lot bigger, but security is still getting left behind ∗∗∗ --------------------------------------------- Four in five Internet of Things device vendors dont provide any information on how to disclose security vulnerabilities. That means problems just dont get fixed. --------------------------------------------- https://www.zdnet.com/article/the-iot-is-getting-a-lot-bigger-but-security-… ∗∗∗ Malware found in coa and rc, two npm packages with 23M weekly downloads ∗∗∗ --------------------------------------------- The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware. --------------------------------------------- https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-2… ∗∗∗ Datenbank mit Millionen Daten von VPN-Nutzern ungeschützt im Internet (Okt. 2021) ∗∗∗ --------------------------------------------- Wer VPN-Anbieter nutzt, muss sich auf deren Sicherheit und Integrität verlassen können. Sicherheitsforscher Bob Diachenko von comparitech ist kürzlich im Internet auf eine ungeschützte Datenbank (kein Passwort) gestoßen, die mehr als 300 Millionen Datensätze mit den persönlichen Daten [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/05/datenbank-mit-millionen-daten-von-… ∗∗∗ Phishing PDF Files with CAPTCHA Screen Being Mass-distributed ∗∗∗ --------------------------------------------- Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000. --------------------------------------------- https://asec.ahnlab.com/en/28431/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1278: Hewlett Packard Enterprise iLO Amplifier Pack backup Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise iLO Amplifier Pack. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1278/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd). --------------------------------------------- https://lwn.net/Articles/875212/ ∗∗∗ SYSS-2021-048/SYSS-2021-049: PHP Event Calendar – SQL Injection und Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- Im "PHP Event Calendar" wurden zwei Sicherheitslücken gefunden. So kann die Datenbank ausgelesen oder die Sitzung anderer Nutzer kompromittiert werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-048/syss-2021-049-php-event-cale… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1157 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29753 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2021
by Daily end-of-shift report 04 Nov '21

04 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-11-2021 18:00 − Donnerstag 04-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Wichtige Cisco-Updates: Recycelte SSH-Keys vereinfachten unbefugte Root-Zugriffe ∗∗∗ --------------------------------------------- Neue Versionen schließen eine kritische Lücke in Ciscos Policy Suite. Auch Catalyst PON Switches & weitere Produkte wurden gegen Angriffe abgesichert. --------------------------------------------- https://heise.de/-6251668 ∗∗∗ BSI-Paper: Technische Grundlagen sicherer Messenger-Dienste ∗∗∗ --------------------------------------------- Milliardenfach kommt weltweit ein Kommunikationsmittel zum Zuge: Messenger-Dienste. Die kurze geschriebene oder gesprochene Nachricht überrundet schon lange die SMS. Doch wie funktionieren Messenger? Was macht sie sicher und was eher nicht? Auf diese und weitere Fragen gibt das BSI-Paper „Moderne Messenger – heute verschlüsselt, morgen interoperabel?“ Antwort. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Cyberkriminelle verkaufen Zugänge zu internationalen Logistikfirmen ∗∗∗ --------------------------------------------- Es handelt sich oft um Schwachstellen in RDP und VPN. Angeboten werden aber auch gestohlene Zugangsdaten. Sicherheitsforscher warnen vor weiteren negativen Folgen für die Lieferkette. --------------------------------------------- https://www.zdnet.de/88397581/cyberkriminelle-verkaufen-zugaenge-zu-interna… ∗∗∗ Betrug mit Verdopplung Ihrer Bitcoins und Kryptowährungen! ∗∗∗ --------------------------------------------- Kriminelle machen ein attraktives Angebot: Sie versprechen eine Verdopplung eingezahlter Kryptowährungen durch einfaches Übetragen auf eine Wallet. Der Haken an der Sache: Übertragene Währungen sind verloren, denn sie landen direkt auf den Wallets der Kriminellen. Genau das passiert auch auf spacegetbonus.com mit Bitcoin, Ethereum und Dogecoin! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-verdopplung-ihrer-bitcoin… ∗∗∗ Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware ∗∗∗ --------------------------------------------- A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshel… ∗∗∗ Samsung Galaxy S21 hacked on second day of Pwn2Own Austin ∗∗∗ --------------------------------------------- Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-galaxy-s21-hacked-on… ∗∗∗ 5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls ∗∗∗ --------------------------------------------- Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques. --------------------------------------------- https://www.darkreading.com/edge-threat-monitor/5-mitre-attck-tactics-most-… ∗∗∗ Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns ∗∗∗ --------------------------------------------- Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands. --------------------------------------------- https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-van… ∗∗∗ Credit card skimmer evades Virtual Machines ∗∗∗ --------------------------------------------- After code obfuscation, anti-debugger tricks we now see virtual machine detection used by credit card skimmers. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimm… ∗∗∗ The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing ∗∗∗ --------------------------------------------- In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. The kit doesnt display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/vagabon-kit-frankens… ∗∗∗ Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server ∗∗∗ --------------------------------------------- GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a new Intezer Protect user’s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/ ∗∗∗ Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 ∗∗∗ --------------------------------------------- We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decr… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Vulnerability Reported in Linux Kernels TIPC Module ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Linux Kernels Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "can be exploited locally or remotely within a network to gain kernel [...] --------------------------------------------- https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/875106/ ∗∗∗ Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server ∗∗∗ --------------------------------------------- [...] Summary: Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-051/ ∗∗∗ VISAM VBASE Editor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Access Control, Cross-site Scripting, Using Components with Known Vulnerabilities, and Improper Restriction of XML External Entity Reference vulnerabilities in the VISAM VBASE Editor automation platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Inherently Dangerous Function, Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information, and Modification of Assumed-Immutable Data (MAID) vulnerabilities in the AzeoTech DAQFactory software and application development platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02 ∗∗∗ BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities ∗∗∗ --------------------------------------------- On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-c… ∗∗∗ Security Bulletin: Vulnerability in Oracle, Java SE Affecting Watson Speech Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-oracle-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability (CVE-2020-26939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Reflected cross-site scripting vulnerability in IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Grafana: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1154 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2021
by Daily end-of-shift report 03 Nov '21

03 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-11-2021 18:00 − Mittwoch 03-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions ∗∗∗ --------------------------------------------- This article provides an overview of what the App Sandbox is and the vulnerability details as disclosed to Apple. --------------------------------------------- https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassin… ∗∗∗ Ransomware: "BlackMatter"-Gang will aufhören – mal wieder ∗∗∗ --------------------------------------------- Druck von Ermittlern veranlasst BlackMatter zum Aufhören. Ein endgültiger Abschied der alten Hasen aus dem Erpresser-Business scheint aber eher fraglich. --------------------------------------------- https://heise.de/-6247924 ∗∗∗ Sicherheitsforscher warnen vor zehntausenden verwundbaren GitLab-Servern ∗∗∗ --------------------------------------------- Obwohl es bereits mehrere Monate Sicherheitspatches für eine kritische Lücke gibt, sind einem Bericht zufolge immer noch viele GitLab-Server angreifbar. --------------------------------------------- https://heise.de/-6249588 ∗∗∗ This Steam phish baits you with free Discord Nitro ∗∗∗ --------------------------------------------- Theres another scam making rounds on Discord. And its cleverly phishing for Steam credentials. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-ba… ∗∗∗ Kleinanzeigenbetrug mit angeblichem Post-Kurier boomt! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen wenden sich derzeit an uns, da Kriminelle eine gefälschte Webseite der Post für Kleinanzeigenbetrug verwenden. Dabei suchen die BetrügerInnen auf Willhaben, Ebay, Shpock und Co. nach teuren Angeboten und erklären den VerkäuferInnen, dass der Kauf über einen Kurierdienst der Post abgewickelt werden soll. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-angeblichem-… ∗∗∗ Almost half of rootkits are used for cyberattacks against government organizations ∗∗∗ --------------------------------------------- On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage. --------------------------------------------- https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-go… ∗∗∗ "Trojan Source": Was ist da dran? ∗∗∗ --------------------------------------------- An sich schätze ich Brian Krebs, er schreibt wirklich gute Artikel, aber bei ‘Trojan Source’ Bug Threatens the Security of All Code hat er etwas übertrieben. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/trojan-source-was-ist-da-dran ∗∗∗ CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 16 Security Advisories veröffentlicht. Zwei davon werden als "Critical" eingestuft, zwei als "High", und zwölf als "Medium". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Patchday: Angreifer attackieren gezielt Android-Geräte ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Eine Lücke im Kernel nutzen Angreifer derzeit aus. --------------------------------------------- https://heise.de/-6247997 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak). --------------------------------------------- https://lwn.net/Articles/874980/ ∗∗∗ ZDI-21-1277: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1277/ ∗∗∗ ZDI-21-1276: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1276/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211103-… ∗∗∗ Security Bulletin: Vulnerabilities in HAProxy Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-haprox… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/ ∗∗∗ Red Hat Integration - Service Registry: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1143 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2021
by Daily end-of-shift report 02 Nov '21

02 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-10-2021 18:00 − Dienstag 02-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trojan Source: Programmiersprachen lassen sich per Unicode trojanisieren ∗∗∗ --------------------------------------------- Ein Forschungsteam zeigt systematisch, wie sich mit Unicode-Tricks Code manipulieren lässt. Open-Source-Communitys und die IT-Industrie reagieren. --------------------------------------------- https://www.golem.de/news/trojan-source-programmiersprachen-lassen-sich-per… ∗∗∗ BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool ∗∗∗ --------------------------------------------- The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports. --------------------------------------------- https://www.securityweek.com/blackmatter-ransomware-operators-develop-custo… ∗∗∗ FBI Publishes IOCs for Hello Kitty Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has published a flash alert to share details on the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the Hello Kitty ransomware, which is also known as FiveHands. --------------------------------------------- https://www.securityweek.com/fbi-publishes-iocs-hello-kitty-ransomware ∗∗∗ Webseiten-BetreiberInnen aufgepasst: Gefälschte E-Mails von WORLD4YOU im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan betrügerische E-Mails im Namen von Wordl4You. In den betrügerischen E-Mails wird behauptet, dass die Domain gesperrt wurde, abgelaufen ist oder verlängert werden muss. --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ EU Digital Green Certificate: Was gilt eigentlich bei uns? ∗∗∗ --------------------------------------------- Nachdem der digitale grüne Pass gerade in den Medien ist, und ich für den Standard den Erklärbären mache, will ich hier ein paar technische Informationen dokumentieren, die für einen Zeitungsartikel dann doch zu technisch sind. --------------------------------------------- https://cert.at/de/blog/2021/10/eu-digital-green-certificate-was-gilt-eigen… ∗∗∗ Shodan Verified Vulns 2021-11-01 ∗∗∗ --------------------------------------------- Das "Cyber-Security-Month" Oktober ist vorbei, aber, wie ein Blick in unsere Shodan-Daten vom 2021-11-01 verrät, hatte es keinen direkt sichtbaren Effekt: Die Veränderungen zu Anfang Oktober sind überschaubar. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/shodan-verified-vulns-2021-11-01 ∗∗∗ From Zero to Domain Admin ∗∗∗ --------------------------------------------- This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. --------------------------------------------- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ Android November patch fixes actively exploited kernel bug ∗∗∗ --------------------------------------------- Google has released the Android November 2021 security updates, which address 18 vulnerabilities in the framework and system components, and 18 more flaws in the kernel and vendor components. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-november-patch-fixes… ∗∗∗ Alert! Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild ∗∗∗ --------------------------------------------- A now-patched critical remote code execution (RCE) vulnerability in GitLabs web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks. --------------------------------------------- https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Tivoli Composite Application Manager for Transactions, InfoSphere Information Server, InfoSphere DataStage Flow Designer, API Connect, Application Discovery and Delivery Intelligence, MessageGateway, PowerSC. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Firefox-Updates schließen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- Die Entwickler der Mozilla Foundation haben im Webbrowser Firefox mehr als ein Dutzend Sicherheitslücken gestopft. --------------------------------------------- https://heise.de/-6245344 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, webkit2gtk). --------------------------------------------- https://lwn.net/Articles/874623/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman). --------------------------------------------- https://lwn.net/Articles/874818/ ∗∗∗ Kaspersky Patches Vulnerability That Can Lead to Unbootable System ∗∗∗ --------------------------------------------- Kaspersky published two advisories on Monday to warn customers about a vulnerability that can lead to unbootable systems and a phishing campaign involving messages sent from a Kaspersky email address. --------------------------------------------- https://www.securityweek.com/kaspersky-patches-vulnerability-can-lead-unboo… ∗∗∗ November 1, 2021 TNS-2021-18 [R1] Nessus 10.0.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-18 ∗∗∗ Synology-SA-21:27 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_27 ∗∗∗ Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-306-01 ∗∗∗ WECON PI Studio (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2021
by Daily end-of-shift report 29 Oct '21

29 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-10-2021 18:00 − Freitag 29-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte ∗∗∗ --------------------------------------------- Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten. --------------------------------------------- https://heise.de/-6236592 ∗∗∗ Betrügerische Mails und SMS im Namen der Volksbank im Umlauf! ∗∗∗ --------------------------------------------- Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-name… ∗∗∗ SEO Poisoning Used to Distribute Ransomware ∗∗∗ --------------------------------------------- This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say. --------------------------------------------- https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribu… ∗∗∗ Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App ∗∗∗ --------------------------------------------- Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency. --------------------------------------------- https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/ ∗∗∗ Pink, a botnet that competed with the vendor to control the massive infected devices ∗∗∗ --------------------------------------------- Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...] --------------------------------------------- https://blog.netlab.360.com/pink-en/ ∗∗∗ This New Android Malware Can Gain Root Access to Your Smartphones ∗∗∗ --------------------------------------------- An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. --------------------------------------------- https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.ht… ∗∗∗ Update your OptinMonster WordPress plugin immediately ∗∗∗ --------------------------------------------- We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-y… ∗∗∗ Network Scanning Traffic Observed in Public Clouds ∗∗∗ --------------------------------------------- Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/ ∗∗∗ NSA-CISA Series on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-s… ===================== = Vulnerabilities = ===================== ∗∗∗ All Windows versions impacted by new LPE zero-day vulnerability ∗∗∗ --------------------------------------------- A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/all-windows-versions-impacte… ∗∗∗ Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X ∗∗∗ --------------------------------------------- CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN69304877/ ∗∗∗ Shrootless: Microsoft finds Apple macOS vulnerability ∗∗∗ --------------------------------------------- Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootle… ∗∗∗ XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites ∗∗∗ --------------------------------------------- On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations. --------------------------------------------- https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-soc… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/874354/ ∗∗∗ Sensormatic Electronics victor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01 ∗∗∗ Delta Electronics DOPSoft (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04 ∗∗∗ GoCD Authentication Vulnerability ∗∗∗ --------------------------------------------- GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authenticati… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: RCE Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: ZipSlip Vulnerability in Automation Studio Project Import ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: DLL Hijacking Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60553023/ ∗∗∗ ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1273/ ∗∗∗ ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1272/ ∗∗∗ ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1271/ ∗∗∗ ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1270/ ∗∗∗ ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1275/ ∗∗∗ ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1274/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2021
by Daily end-of-shift report 28 Oct '21

28 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-10-2021 18:00 − Donnerstag 28-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ QR Codes Help Attackers Sneak Emails Past Security Controls ∗∗∗ --------------------------------------------- A recently discovered campaign shows how attackers are constantly developing new techniques to deceive phishing victims. --------------------------------------------- https://www.darkreading.com/attacks-breaches/qr-codes-help-attackers-sneak-… ∗∗∗ How we took part in MLSEC and (almost) won ∗∗∗ --------------------------------------------- How we took part in the Machine Learning Security Evasion Competition (MLSEC) — a series of trials testing contestants’ ability to create and attack machine learning models. --------------------------------------------- https://securelist.com/how-we-took-part-in-mlsec-and-almost-won/104699/ ∗∗∗ EU’s Green Pass Vaccination ID Private Key Leaked ∗∗∗ --------------------------------------------- The private key used to sign the vaccine passports was leaked and is being passed around to create fake passes for the likes of Mickey Mouse and Adolf Hitler. --------------------------------------------- https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175… ∗∗∗ New Wslink Malware Loader Runs as a Server and Executes Modules in Memory ∗∗∗ --------------------------------------------- Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed "Wslink" by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. --------------------------------------------- https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html ∗∗∗ Threat profile: Ranzy Locker ransomware ∗∗∗ --------------------------------------------- What you need to know about Ranzy Locker ransomware. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/10/threat-profile-ranzy-locke… ∗∗∗ PSA: Widespread Remote Working Scam Underway ∗∗∗ --------------------------------------------- Attackers are posting jobs pretending to be from existing companies and steal money and/or personal information from jobseekers. --------------------------------------------- https://www.wordfence.com/blog/2021/10/psa-widespread-remote-working-scam-u… ∗∗∗ Trends und Entwicklungen bei Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops gibt es wie Sand am Meer - und auch sie entwickeln sich nach Trends: Von E-Bikes bis zur Playstation5. Diese Trends sind von der Saison, aber auch von Angebot und Nachfrage abhängig. Was die Watchlist Internet im letzten Jahr über Fake-Shop-Trends erfahren hat, lesen Sie hier. --------------------------------------------- https://www.watchlist-internet.at/news/trends-und-entwicklungen-bei-fake-sh… ∗∗∗ Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains ∗∗∗ --------------------------------------------- Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile. --------------------------------------------- https://therecord.media/free-decrypters-released-for-atomsilo-babuk-and-loc… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 19 Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, neun als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/874210/ ∗∗∗ 2021 CWE Most Important Hardware Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List. The 2021 Hardware List is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in hardware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/2021-cwe-most-imp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2021
by Daily end-of-shift report 27 Oct '21

27 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-10-2021 18:00 − Mittwoch 27-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Babuk ransomware decryptor released to recover files for free ∗∗∗ --------------------------------------------- Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-r… ∗∗∗ Vorsicht: Neue Betrugswelle mit vermeintlichen DHL-SMS ∗∗∗ --------------------------------------------- Wieder sind betrügerische SMS zu Paketlieferungen im Umlauf. Ziel ist es, eine Schadsoftware aufs Handy zu bringen. --------------------------------------------- https://futurezone.at/digital-life/betrug-dhl-sms-phishing-ausstehendes-pak… ∗∗∗ Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads ∗∗∗ --------------------------------------------- UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service. --------------------------------------------- https://threatpost.com/android-scammed-sms-fraud-tik-tok/175739/ ∗∗∗ Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users ∗∗∗ --------------------------------------------- The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet. --------------------------------------------- https://threatpost.com/mozilla-firefox-blocks-malicious-add-ons-installed-b… ∗∗∗ Conti Ransom Gang Starts Selling Access to Victims ∗∗∗ --------------------------------------------- The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Contis malware who refuse to negotiate a ransom payment are added to Contis victim shaming blog, where confidential files stolen from victims may be published or sold. --------------------------------------------- https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access… ∗∗∗ „Hallo Mama“ - Vorsicht vor Betrug über WhatsApp! ∗∗∗ --------------------------------------------- Aktuell versuchen BetrügerInnen über WhatsApp an das Geld von potentiellen Opfern zu kommen. Dafür geben Sie sich in einer Nachricht als Tochter oder Sohn der EmpfängerInnen aus und fordern die Überweisung von mehreren tausend Euro. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-vorsicht-vor-betrug-ueber… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Erneute Sicherheitslücke im Plugin Ninja Forms ∗∗∗ --------------------------------------------- Das beliebte Formular-Framework ist erneut von einer Sicherheitslücke betroffen. Das WordPress-Plugin ist auf mehr als einer Million Webseiten aktiv. --------------------------------------------- https://heise.de/-6229249 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/874045/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp). --------------------------------------------- https://lwn.net/Articles/874143/ ∗∗∗ Belden Security Bulletin – BSECV-2020-03: Potential denial of service vulnerability in PROFINET Devices via DCE-RPC Packets ∗∗∗ --------------------------------------------- A vulnerability in the PROFINET stack implementation in Classic Firmware, HiOS, and HiLCOS could lead to a denial of service via an out of memory condition. --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=13688&mediaformat… ∗∗∗ Security Bulletin: A vulnerability exists in the restricted shell of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software – September 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Openstack Compute (Nova) noVNC proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openstack-compute-nova-no… ∗∗∗ Security Bulletin: Insufficient session expiration in IBM i2 iBase ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-session-expi… ∗∗∗ Grafana vulnerability CVE-2021-39226 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22322802 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1114 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1121 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-299-01 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/adobe-releases-se… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/apple-releases-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2021
by Daily end-of-shift report 25 Oct '21

25 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-10-2021 18:00 − Montag 25-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA Urges Sites to Patch Critical RCE in Discourse ∗∗∗ --------------------------------------------- The patch, urgently rushed out on Friday, is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central. --------------------------------------------- https://threatpost.com/cisa-critical-rce-discourse/175705/ ∗∗∗ Schadcode in weit verbreiteter JavaScript-Bibliothek UAParser.js entdeckt ∗∗∗ --------------------------------------------- Angreifer haben die JavaScript-Bibliothek UAParser.js mit Schadcode versehen, der auf betroffenen Rechnern Kryptogeld-Miner installiert. --------------------------------------------- https://heise.de/-6226975 ∗∗∗ Ransomware BlackMatter: Forscher bieten Gratis-Decryption für einige Varianten ∗∗∗ --------------------------------------------- Wer in den letzten Monaten eine Erpresserbotschaft der "BlackMatter"-Gang auf seinen Systemen entdeckt hat, kann jetzt auf Hilfe hoffen. --------------------------------------------- https://heise.de/-6227925 ∗∗∗ Betrügerische Smartphone-Ortungsdienste ∗∗∗ --------------------------------------------- Sie haben Ihr Handy verloren – was nun? Eine Google-Suche nach „Handyortung“ ergibt über 1,5 Millionen Treffer. Apps und Services zur Handyortung erfreuen sich großer Beliebtheit. Doch Vorsicht vor „gratis“ Ortungs-Apps wie www.locating.mobi, www.geolite.mobi, www.goandfind.online. Diese führen in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-smartphone-ortungsdie… ∗∗∗ Bericht: Ransomware-Gruppe REvil durch koordinierte Aktion mehrerer Staaten zerschlagen ∗∗∗ --------------------------------------------- An der Aktion sind unter anderem die USA beteiligt. In Sicherheitskreisen ist die Aktion wohl schon seit mehreren Tagen bekannt. --------------------------------------------- https://www.zdnet.de/88397355/bericht-ransomware-gruppe-revil-durch-koordin… ∗∗∗ DDoS attacks hit multiple email providers ∗∗∗ --------------------------------------------- At least six email service providers have been hit by large distributed denial of service (DDoS) attacks on Friday, resulting in prolonged outages, The Record has learned. --------------------------------------------- https://therecord.media/ddos-attacks-hit-multiple-email-providers/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt ∗∗∗ JSA11236 ∗∗∗ --------------------------------------------- 2021-10 Security Bulletin: Junos OS: QFX5000 Series: Traffic from the network internal to the device (128.0.0.0) may be forwarded to egress interfaces (CVE-2021-31371) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11236 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/873965/ ∗∗∗ Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1107 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1109 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2021
by Daily end-of-shift report 22 Oct '21

22 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-10-2021 18:00 − Freitag 22-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Evil Corp demands $40 million in new Macaw ransomware attacks ∗∗∗ --------------------------------------------- Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million… ∗∗∗ Hacking gang creates fake firm to hire pentesters for ransomware attacks ∗∗∗ --------------------------------------------- The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-gang-creates-fake-fi… ∗∗∗ Using Kerberos for Authentication Relay Attacks ∗∗∗ --------------------------------------------- This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentic… ∗∗∗ Windows Exploitation Tricks: Relaying DCOM Authentication ∗∗∗ --------------------------------------------- In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-… ∗∗∗ GPS Daemon (GPSD) Rollover Bug ∗∗∗ --------------------------------------------- Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-r… ∗∗∗ CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader ∗∗∗ --------------------------------------------- Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause. --------------------------------------------- https://www.thezdi.com/blog/2021/10/20/cve-2021-28632-amp-cve-2021-39840-by… ∗∗∗ ASEC Weekly Malware Statistics (October 11th, 2021 – October 17th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 11th, 2021 (Monday) to October 17th, 2021 (Sunday). For the main category, info-stealer ranked top with 58.2%, followed by Downloader with 24.6%, RAT (Remote Administration Tool) malware with 7.4%, Backdoor malware with 4.7%, Ransomware with 4.1%, and Banking malware with 0.9%. --------------------------------------------- https://asec.ahnlab.com/en/28007/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN Security Bug Allows Root Code Execution ∗∗∗ --------------------------------------------- The high-severity bug, tracked as CVE-2021-1529, is an OS command-injection flaw. --------------------------------------------- https://threatpost.com/cisco-sd-wan-bug-code-execution-root/175669/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman). --------------------------------------------- https://lwn.net/Articles/873746/ ∗∗∗ Pulse Secure Pulse Connect Secure: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1103 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1105 ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2021-32028) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow – CVE-2021-29835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2021
by Daily end-of-shift report 21 Oct '21

21 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-10-2021 18:00 − Donnerstag 21-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Cybercrime matures as hackers are forced to work smarter ∗∗∗ --------------------------------------------- An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hacker… ∗∗∗ Franken-phish: TodayZoo built from other phishing kits ∗∗∗ --------------------------------------------- A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-b… ∗∗∗ "Stolen Images Evidence" campaign pushes Sliver-based malware, (Thu, Oct 21st) ∗∗∗ --------------------------------------------- On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver. Sliver is a framework used by red teams for adversary simluation and penetration testing. --------------------------------------------- https://isc.sans.edu/diary/rss/27954 ∗∗∗ Die Rückkehr der Rootkits – signiert von Microsoft ∗∗∗ --------------------------------------------- Forscher haben in den vergangenen Monaten verstärkt die vermeintlich ausgestorbenen Kernelschadprogramme wiederentdeckt. Eingeschleust werden sie heute anders. --------------------------------------------- https://heise.de/-6224944 ∗∗∗ Innovation aus Österreich: Fake-Shop Detector entlarvt Online-Betrüger ∗∗∗ --------------------------------------------- Fake-Shops im Internet werden immer zahlreicher und zugleich schwieriger zu erkennen. Unterstützung bietet ab sofort die Beta-Version des Fake-Shop Detectors: Das Tool untersucht im Internet-Browser in Echtzeit, ob es sich um seriöse oder betrügerische Onlineshops handelt und stellt somit ein Best Practice für den Nutzen und die Chancen des Einsatzes von Künstlicher Intelligenz für Konsumentinnen und Konsumenten dar. --------------------------------------------- https://www.watchlist-internet.at/news/innovation-aus-oesterreich-fake-shop… ∗∗∗ Using Discord infrastructure for malicious intent ∗∗∗ --------------------------------------------- Research by: Idan Shechter & Omer Ventura Check Point Research (CPR) spotted a multi-functional malware with the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord There are currently over 150 million monthly active users on Discord Users must be aware that Discord’s bot… --------------------------------------------- https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-mal… ∗∗∗ Google unmasks two-year-old phishing & malware campaign targeting YouTube users ∗∗∗ --------------------------------------------- Almost two years after a wave of complaints flooded Googles support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Googles security team has finally tracked down the root cause of these attacks. --------------------------------------------- https://therecord.media/google-unmasks-two-year-old-phishing-malware-campai… ∗∗∗ Kernel Karnage – Part 1 ∗∗∗ --------------------------------------------- I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); --------------------------------------------- https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlichte 19 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat acht Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, eines als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127 ∗∗∗ --------------------------------------------- Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. --------------------------------------------- https://jira.atlassian.com/browse/JRASERVER-72003 ∗∗∗ WinRAR’s vulnerable trialware: when free software isn’t free ∗∗∗ --------------------------------------------- In this article we discuss a vulnerability in the trial version of WinRAR which has significant consequences for the management of third-party software. This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. --------------------------------------------- https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-softwar… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, --------------------------------------------- https://lwn.net/Articles/873601/ ∗∗∗ B. Braun Infusomat Space Large Volume Pump ∗∗∗ --------------------------------------------- This advisory contains mitigation for Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation vulnerabilities in the B. Braun Infusomat Space Large Volume Pump. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in ICONICS GENESIS64 and Mitsubishi Electric MC Works64 HMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-01 ∗∗∗ Delta Electronics DIALink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Cross-site Scripting, Improper Neutralization of Formula Elements in a CSV File, Cleartext Storage of Sensitive Information, Uncontrolled Search Path Element, and Incorrect Default Permissions vulnerabilities in the Delta Electronics DIALink industrial automation server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 OPC UA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in ICONICS GENESIS64, Mitsubishi Electric MC Works64 third-party OPC Foundation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-03 ∗∗∗ RCE in GridPro Request Management for Windows Azure Pack (CVE-2021-40371) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in GridPro Request Management versions <=2.0.7905 for Windows Azure Pack by GridPro Software. The vulnerability was assigned CVE-2021-40371 by GridPro and in the worst case scenario allows attackers to remotely execute code on the server. --------------------------------------------- https://certitude.consulting/blog/en/rce-in-gridpro-request-management-for-… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei FusionCube Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - CSV Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - Improper Signature Management Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2021
by Daily end-of-shift report 20 Oct '21

20 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-10-2021 18:00 − Mittwoch 20-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ How a simple Linux kernel memory corruption bug can lead to complete system compromise ∗∗∗ --------------------------------------------- This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Busters 4.19.0-13-amd64 kernel. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memo… ∗∗∗ SuDump: Exploiting suid binaries through the kernel ∗∗∗ --------------------------------------------- We will show bugs we found in the Linux kernel that allow unprivileged users to create root-owned core files, and how we were able to use them to get an LPE through the sudo program on machines that have been configured by administrators to allow running a single innocent command. --------------------------------------------- https://alephsecurity.com/2021/10/20/sudump/ ∗∗∗ q-logger skimmer keeps Magecart attacks going ∗∗∗ --------------------------------------------- This case reminds us that web skimming attacks are ongoing even if we dont always hear about them. The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-… ∗∗∗ VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group ∗∗∗ --------------------------------------------- While monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware was installed via AppleSeed remote control malware. --------------------------------------------- https://asec.ahnlab.com/en/27346/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 419 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2021.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi, strongswan). --------------------------------------------- https://lwn.net/Articles/873462/ ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson is vulnerable to cross site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-us… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-se… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specif… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Drupal core (CVE-2021-32610) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects the Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2021-20571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ VMSA-2021-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0024.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-36160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13401920 ∗∗∗ AUVESY Versiondog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 ∗∗∗ Trane HVAC Systems Controls ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2021
by Daily end-of-shift report 19 Oct '21

19 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-10-2021 18:00 − Dienstag 19-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Umfrage: Komplexe IT und Firmenstrukturen gefährden die Cybersicherheit ∗∗∗ --------------------------------------------- Manager in Deutschland erachten unübersichtliche Technologien, Datenbestände, Betriebsumgebungen und Lieferketten als große Einfallstore für Cyberangreifer. --------------------------------------------- https://heise.de/-6222835 ∗∗∗ Sicherheitsforscher: Microsoft-Cloud verteilt zu leichtfertig Malware ∗∗∗ --------------------------------------------- IT-Spezialisten und Insider werfen Microsoft vor, auf ihren Cloud-Diensten gehostete Malware viel zu langsam zu entfernen. --------------------------------------------- https://heise.de/-6222542 ∗∗∗ SMS über eine ausständige Geldstrafe ist Fake ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen erhalten momentan ein SMS, das über ein angeblich ausstehendes Bußgeld informiert. In der Nachricht werden Sie aufgefordert, die Zahlung sofort vorzunehmen, ansonsten drohen rechtliche Schritte. Um die Zahlung zu tätigen, sollte ein Link angeklickt werden. Vorsicht: Diese Benachrichtigung ist nicht echt! Sie werden auf eine gefälschte oesterreich.gv.at-Seite geführt. Kriminelle versuchen dort an Ihre Bankdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sms-ueber-eine-ausstaendige-geldstra… ∗∗∗ Free BlackByte decryptor released, after researchers say they found flaw in ransomware code ∗∗∗ --------------------------------------------- Security experts have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. Thats right - you dont need to pay the ransom. Predictably, the ransomware gang isnt happy. --------------------------------------------- https://grahamcluley.com/free-blackbyte-decryptor-released-after-researcher… ∗∗∗ CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/18/cisa-fbi-and-nsa-… ∗∗∗ LightBasin hacking group breaches 13 global telecoms in two years ∗∗∗ --------------------------------------------- A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-bre… ∗∗∗ Trickbot module descriptions ∗∗∗ --------------------------------------------- In this article we describe the functionality of the Trickbot (aka TrickLoader or Trickster) banking malware modules and provide a tip on how to download and analyze these modules. --------------------------------------------- https://securelist.com/trickbot-module-descriptions/104603/ ∗∗∗ A New Variant of FlawedGrace Spreading Through Mass Email Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria. Enterprise security firm Proofpoint tied the malware campaign with high confidence to TA505, [...] --------------------------------------------- https://thehackernews.com/2021/10/a-new-variant-of-flawedgrace-spreading.ht… ∗∗∗ “Killware”: Is it just as bad as it sounds? ∗∗∗ --------------------------------------------- "Killware," as USA TODAY put it, is the latest cyberthreat thats even eclipsing ransomware. But is it all its hyped up to be? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes Surface Pro 3 TPM bypass with public exploit code ∗∗∗ --------------------------------------------- Microsoft has patched a security feature bypass vulnerability impacting Surface Pro 3 tablets that enables threat actors to introduce malicious devices within enterprise environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-surface-pro… ∗∗∗ Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services ∗∗∗ --------------------------------------------- Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine. Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used [...] --------------------------------------------- https://thehackernews.com/2021/10/squirrel-engine-bug-could-let-attackers.h… ∗∗∗ Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro hat Security Advisories zu acht Schwachstellen veröffentlicht. Die Lücken sind zwischen "Low" und "High" eingestuft. --------------------------------------------- https://success.trendmicro.com/solution/000289229 ∗∗∗ Security Bulletin for Trend Micro Worry-Free Business Security and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Services (SaaS) that resolve several vulnerabilities listed below. --------------------------------------------- https://success.trendmicro.com/solution/000289230 ∗∗∗ RHSA-2021:3759 - Security Advisory ∗∗∗ --------------------------------------------- Red Hat OpenShift Container Platform release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. --------------------------------------------- https://access.redhat.com/errata/RHSA-2021:3759 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could [...] --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan). --------------------------------------------- https://lwn.net/Articles/873307/ ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities (CVE-2020-15168, CVE-2021-29912) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2369 and CVE-2021-2432 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2021
by Daily end-of-shift report 18 Oct '21

18 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-10-2021 18:00 − Montag 18-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unternehmensbetrug: Diese Gefahren sollten Unternehmen und ihre MitarbeiterInnen kennen! ∗∗∗ --------------------------------------------- Internetbetrug betrifft nicht nur Privatpersonen, auch Unternehmen sind eine beliebte Zielscheibe für Cyberkriminelle. Angegriffen wird allerdings nicht nur die technische Infrastruktur von Unternehmen, vielmehr zielen Attacken hauptsächlich auf die MitarbeiterInnen ab. Im Rahmen des Projekts „CyberSec“ will sich die Watchlist Internet daher verstärkt dem Thema Unternehmensbetrug widmen, um Betriebe im Bereich der Internetsicherheit zu stärken. --------------------------------------------- https://www.watchlist-internet.at/news/unternehmensbetrug-diese-gefahren-so… ∗∗∗ REvil ransomware shuts down again after Tor sites were hijacked ∗∗∗ --------------------------------------------- The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-… ∗∗∗ Microsoft asks admins to patch PowerShell to fix WDAC bypass ∗∗∗ --------------------------------------------- Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-admins-to-pa… ∗∗∗ Warranty Repairs and Non-Removable Storage Risks, (Fri, Oct 15th) ∗∗∗ --------------------------------------------- I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets. With each of these situations, the question boiled down to the same underlying issue: non-removable storage --------------------------------------------- https://isc.sans.edu/diary/rss/27938 ∗∗∗ Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th) ∗∗∗ --------------------------------------------- Attackers have many ways to protect their C2 servers from unwanted connections. They can check some specific headers, the user-agent, the IP address location (GeoIP), etc. I spotted an interesting PowerShell sample that implements a client certificate authentication mechanism to access its C2 server. --------------------------------------------- https://isc.sans.edu/diary/rss/27944 ∗∗∗ Security Risks with Private 5G in Manufacturing Companies ∗∗∗ --------------------------------------------- Private 5G is said to bring about the "democratization of communications." This technology allows private companies and local governments to take the driving seat in operating the latest information communication systems. --------------------------------------------- https://www.trendmicro.com/en_us/research/21/j/security-risks-with-private-… ∗∗∗ Ransomware in a global context ∗∗∗ --------------------------------------------- This report is the first step in what we hope will become an ongoing community effort to discover and share actionable information on malware trends. Over the last 16 years, we have processed more than 2 million files per day across 232 countries. --------------------------------------------- https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf ∗∗∗ Case Study: From BazarLoader to Network Reconnaissance ∗∗∗ --------------------------------------------- BazarLoader Windows-based malware provides backdoor access that criminals can use to perform reconnaissance to map the victims network. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/ ∗∗∗ This particularly dangerous phishing attack features a weaponized Excel file ∗∗∗ --------------------------------------------- Security researchers warn about a sneaky phishing campaign from one of the most creative cybercrime groups on the internet. --------------------------------------------- https://www.zdnet.com/article/this-particularly-dangerous-phishing-attack-f… ∗∗∗ Virus Bulletin: Old malware never dies – it just gets more targeted ∗∗∗ --------------------------------------------- Putting a precision payload on top of more generic malware makes perfect sense for malware operators --------------------------------------------- https://www.welivesecurity.com/2021/10/15/virus-bulletin-old-malware-never-… ∗∗∗ IcedID to XingLocker Ransomware in 24 hours ∗∗∗ --------------------------------------------- Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early [...] --------------------------------------------- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-… ∗∗∗ ASEC Weekly Malware Statistics (October 4th, 2021 – October 10th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 4th, 2021 (Monday) to October 10th, 2021 (Sunday). For the main category, info-stealer ranked top with 68.4%, followed by Downloader with 12.6%, RAT (Remote Administration Tool) malware with 8.6%, Backdoor Downloader with 6.3%, Ransomware with 3.7%, and Banking malware with 0.3%. --------------------------------------------- https://asec.ahnlab.com/en/27824/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Beliebtes Plugin "WP Fastest Cache" braucht dringend ein Update ∗∗∗ --------------------------------------------- Jetzt updaten: Das Cache-Plugin WP Fastest Cache wies Schwachstellen auf, die WordPress-Installationen unter bestimmten Voraussetzungen angreifbar machten. --------------------------------------------- https://heise.de/-6220994 ∗∗∗ 2021-10 Security Bulletin: CTPView: HSTS not being enforced on CTPView server. (CVE-2021-0296) ∗∗∗ --------------------------------------------- The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11210 ∗∗∗ 2021-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packet on MS-MPC/MS-MIC causes line card reset (CVE-2021-31351) ∗∗∗ --------------------------------------------- An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS). --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11216 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/873210/ ∗∗∗ 128 Technology Session Smart Router vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85073657/ ∗∗∗ Eclipse Jetty vulnerability CVE-2021-28165 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15338344?utm_source=f5support&utm_mediu… ∗∗∗ Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53225395?utm_source=f5support&utm_mediu… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1077 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to jzsip (CVE-2021-23413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: Cross site scripting vulnerability affecting Case Builder in IBM Business Automation Workflow – CVE-2021-29878 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2021
by Daily end-of-shift report 15 Oct '21

15 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-10-2021 18:00 − Freitag 15-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Accenture confirms data breach after August ransomware attack ∗∗∗ --------------------------------------------- Global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the companys systems in August 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/accenture-confirms-data-brea… ∗∗∗ BlackByte Ransomware – Pt. 1 In-depth Analysis ∗∗∗ --------------------------------------------- During a recent malware incident response case, we encountered an interesting piece of ransomware that goes by the name of BlackByte. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-r… ∗∗∗ BlackByte Ransomware – Pt 2. Code Obfuscation Analysis ∗∗∗ --------------------------------------------- We received the original launcher file from an Incident Response case. It was about 630 KB of JScript code which was seemingly full of garbage code – hiding the real intent. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-r… ∗∗∗ Employee offboarding: Why companies must close a crucial gap in their security strategy ∗∗∗ --------------------------------------------- There are various ways a departing employee could put your organization at risk of a data breach. How do you offboard employees the right way and ensure your data remains safe? --------------------------------------------- https://www.welivesecurity.com/2021/10/14/employee-offboarding-companies-cl… ∗∗∗ Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to U.S. Water and Wastewater Systems (WWS) Sector. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/14/ongoing-cyber-thr… ∗∗∗ A malware botnet has made more than $24.7 million since 2019 ∗∗∗ --------------------------------------------- The operators of a malware botnet known as MyKings are believed to have made more than $24.7 million through what security researchers call a "clipboard hijacker." --------------------------------------------- https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-si… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 11 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4). --------------------------------------------- https://lwn.net/Articles/873056/ ∗∗∗ ZDI-21-1211: (0Day) Fuji Electric Alpha5 A5V File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1211/ ∗∗∗ ZDI-21-1210: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1210/ ∗∗∗ ZDI-21-1209: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1209/ ∗∗∗ ZDI-21-1208: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1208/ ∗∗∗ Schneider Electric CNM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-01 ∗∗∗ Uffizio GPS Tracker ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-03 ∗∗∗ Siemens RUGGEDCOM ROX (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01 ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/15/apache-releases-s… ∗∗∗ SYSS-2019-018/SYSS-2019-019: Unsichere Dateisystemberechtigungen und Installationsmodi in Ivanti DSM ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2019-018/syss-2019-019-unsichere-date… ∗∗∗ Change in Magniber Ransomware Vulnerability (CVE-2021-40444) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/27264/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2021
by Daily end-of-shift report 14 Oct '21

14 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-10-2021 18:00 − Donnerstag 14-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Nach Datenleck: Hausdurchsuchung statt Dankeschön ∗∗∗ --------------------------------------------- Rund 700.000 Personen sind von einem Datenleck betroffen. Ein Programmierer hatte die Lücke entdeckt und gemeldet - und erhielt eine Anzeige. Von Moritz Tremmel (Datenleck, Server) --------------------------------------------- https://www.golem.de/news/nach-datenleck-hausdurchsuchung-statt-dankeschoen… ∗∗∗ Romance scams with a cryptocurrency twist – new research from SophosLabs ∗∗∗ --------------------------------------------- Romance scams and dating site treachery with a new twist - "theres an app for that!" --------------------------------------------- https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurr… ∗∗∗ A Handshake with MySQL Bots ∗∗∗ --------------------------------------------- It’s well known that we just don’t put services or devices on the edge of the Internet without strong purpose justification. Services, whether maintained by end-users or administrators, have a ton of security challenges. Databases belong to a group that often needs direct access to the Internet - no doubt that security requirements are a priority here. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/handshake-w… ∗∗∗ We analyzed 80 million ransomware samples – here’s what we learned ∗∗∗ --------------------------------------------- [...] VirusTotal’s first Ransomware Activity Report provides a holistic view of ransomware attacks by combining more than 80 million potential ransomware-related samples submitted over the last year and a half. --------------------------------------------- https://blog.google/technology/safety-security/we-analyzed-80-million-ranso… ∗∗∗ “Free Steam game” scams on TikTok are Among Us ∗∗∗ --------------------------------------------- We look at a dubious free game offer via TikTok, and explore what the site owners expect you to do in order to snag a supposed freebie. --------------------------------------------- https://blog.malwarebytes.com/scams/2021/10/free-steam-game-scams-on-tiktok… ∗∗∗ Wege in Fake-Shops ∗∗∗ --------------------------------------------- Betrügerische und unseriöse Shops sind ein großes Problem im Online-Handel. Doch wie kommen Konsumentinnen und Konsumenten eigentlich zu Fake-Shops? Mit dieser Frage hat sich die Watchlist Internet in den Sommermonaten beschäftigt. Klar wurde: Google- und Facebook-Werbung sind die größten Zubringer zu Fake-Shops. Über diese Wege kommt der Großteil der Opfer auf betrügerische Online-Shops. --------------------------------------------- https://www.watchlist-internet.at/news/wege-in-fake-shops/ ∗∗∗ Don’t get phished! How to be the one that got away ∗∗∗ --------------------------------------------- If it looks like a duck, swims like a duck, and quacks like a duck, then its probably a duck. Now, how do you apply the duck test to defense against phishing? --------------------------------------------- https://www.welivesecurity.com/2021/10/13/phishing-how-be-one-got-away/ ∗∗∗ New Yanluowang ransomware used in targeted attacks ∗∗∗ --------------------------------------------- New arrival to the targeted ransomware scene appears to be still in development. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ya… ∗∗∗ Acer confirms second security breach this year ∗∗∗ --------------------------------------------- A spokesperson for Taiwanese computer maker Acer has confirmed today that the company suffered a second security breach this year after hackers advertised the sale of more than 60 GB of data on an underground cybercrime forum.The post Acer confirms second security breach this year appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/acer-confirms-second-security-breach-this-year/ ∗∗∗ Q&A: Secure PLC Programming Insights ∗∗∗ --------------------------------------------- Members of the Top 20 Secure PLC Coding Practices project recently joined Claroty’s Aperture podcast to discuss the group’s list of top 20 secure coding practices for programmable logic controllers (PLCs). What follows is an edited transcript of our discussion with Martin Scheu of SWITCH-CERT and Dirk Rotermund of gefeba Engineering GmbH. --------------------------------------------- https://claroty.com/2021/10/13/blog-qa-secure-plc-programming-insights/ ∗∗∗ Windows Oktober 2021-Updates: PrintNightmare-Stand und Netzwerk-Druckprobleme ∗∗∗ --------------------------------------------- Zum 12. Oktober 2021 hat Microsoft neue Schwachstellen im Umfeld der als PrintNightmare bekannten Sicherheitslücken per Update adressiert. Daher ein kurzer Blick auf das betreffende Thema, welches auch weiterhin nicht vom Tisch ist. --------------------------------------------- https://www.borncity.com/blog/2021/10/14/windows-oktober-2021-updates-print… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 16 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (golang, grilo, mediawiki, plib, python-flask-restx, python-mpmath, thunderbird, and xstream/xmlpull/mxparser), Oracle (389-ds-base, grafana, httpd:2.4, kernel, libxml2, and openssl), Red Hat (httpd), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/872945/ ∗∗∗ Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-043 ∗∗∗ Juniper JUNOS und Juniper JUNOS Evolved: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1070 ∗∗∗ Microsoft Exchange Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1069 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2021
by Daily end-of-shift report 13 Oct '21

13 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-10-2021 18:00 − Mittwoch 13-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ MysterySnail attacks with Windows zero-day ∗∗∗ --------------------------------------------- We detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. Variants of the malware payload used along with the zero-day exploit were detected in widespread espionage campaigns. --------------------------------------------- https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ ∗∗∗ Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis ∗∗∗ --------------------------------------------- Cobalt Strike is a commercial adversary simulation software that is marketed to red teams but is also stolen and actively used by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). --------------------------------------------- https://www.mandiant.com/resources/defining-cobalt-strike-components ∗∗∗ 2021: Apples Jahr der Zero-Days ∗∗∗ --------------------------------------------- In dieser Woche hat Apple erneut eine bereits ausgenutzte iPhone-Lücke gepatcht. Seit Februar gab es mehr als ein Dutzend in den Systemen des Konzerns. --------------------------------------------- https://heise.de/-6215715 ∗∗∗ Azure Privilege Escalation via Service Principal Abuse ∗∗∗ --------------------------------------------- In this blog post, I’ll explain how a particular kind of attack path can emerge in Azure based on Azure’s RBAC system — an attack path we have seen in the vast majority of Azure tenants we’ve gotten access to. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-service-principa… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: NetWeaver AS & Environmental Compliance bargen kritische Lücken ∗∗∗ --------------------------------------------- Zum monatlichen Patchday hat SAP Updates für viele Produkte veröffentlicht. Zwei beseitigten Sicherheitsproblemen wurden CVSS-Scores nahe der 10 zugeordnet. --------------------------------------------- https://heise.de/-6215952 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flatpak and ruby2.3), Fedora (flatpak, httpd, mediawiki, redis, and xstream), openSUSE (kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), Red Hat (.NET 5.0, 389-ds-base, httpd:2.4, kernel, kernel-rt, libxml2, openssl, and thunderbird), Scientific Linux (389-ds-base, kernel, libxml2, and openssl), SUSE (apache2-mod_auth_openidc, curl, glibc, kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), and Ubuntu (squashfs-tools). --------------------------------------------- https://lwn.net/Articles/872843/ ∗∗∗ The October 2021 Security Update Review ∗∗∗ --------------------------------------------- The second Tuesday of the month is here, and that means the latest security updates from Adobe and Microsoft have arrived. --------------------------------------------- https://www.thezdi.com/blog/2021/10/12/the-october-2021-security-update-rev… ∗∗∗ Sicherheitsupdates für Exchange Server (Oktober 2021) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Oktober 2021 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2021/10/13/sicherheitsupdates-fr-exchange-ser… ∗∗∗ ZDI-21-1147: Adobe Illustrator PDF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1147/ ∗∗∗ ZDI-21-1146: Adobe Illustrator PDF File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1146/ ∗∗∗ ZDI-21-1148: Linux Kernel eBPF Type Confusion Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1148/ ∗∗∗ VMSA-2021-0021 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0021.html ∗∗∗ VMSA-2021-0022 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0022.html ∗∗∗ VMSA-2021-0023 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0023.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-34798 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K72382141 ∗∗∗ Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-pa… ∗∗∗ Cross-Site Scripting in myfactory.FMS ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/ ∗∗∗ IPAS: Security Advisories for October 2021 ∗∗∗ --------------------------------------------- https://blogs.intel.com/technology/2021/10/intel-security-advisories-for-oc… ∗∗∗ SYSS-2021-014, SYSS-2021-015 und SYSS-2021-019: Schwachstellen in Softphones von Linphone und MicroSIP ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-014-syss-2021-015-und-syss-2021-… ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500444-THINKPAD-BIOS-VULNERABI… ∗∗∗ NetApp Clustered Data ONTAP X-Frame-Options Header Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500442-NETAPP-CLUSTERED-DATA-O… ∗∗∗ AMD x86 PREFETCH instruction related side-channels ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500445-AMD-X86-PREFETCH-INSTRU… ∗∗∗ Intel SGX SDK Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500443-INTEL-SGX-SDK-ADVISORY -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2021
by Daily end-of-shift report 12 Oct '21

12 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 11-10-2021 18:00 − Dienstag 12-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Javascript: RSA-Schlüsselerzeugung mit vielen Nullen ∗∗∗ --------------------------------------------- Github sperrt unsichere SSH-Schlüssel, die durch einen Fehler in einer Javascript-Bibliothek erzeugt wurden. --------------------------------------------- https://www.golem.de/news/javascript-rsa-schluesselerzeugung-mit-vielen-nul… ∗∗∗ iOS 15.0.2 und watchOS 8.0.1: Viele Bugfixes – und wieder ein Exploit im Umlauf ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Dienstag seine iPhone-, iPad- und Apple-Watch-Betriebssysteme nachgebessert. Bei Telefon und Tablet geht es auch um die Sicherheit. --------------------------------------------- https://heise.de/-6214563 ∗∗∗ Johnson Controls: Lücken boten Remote-Zugriffsmöglichkeiten auf Videoüberwachung ∗∗∗ --------------------------------------------- Updates für die Videoüberwachungslösung exacqVision von Johnson Controls/Exacq Technologies schließen zwei Sicherheitslücken. Eine gilt als kritisch. --------------------------------------------- https://heise.de/-6215264 ∗∗∗ Vorsicht vor Microsoft-Anrufen ∗∗∗ --------------------------------------------- Legen Sie sofort auf, wenn Sie angeblich von Microsoft angerufen werden. Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und behaupten, sie hätten auf Ihrem Computer einen Virus entdeckt. Die Fake-Microsoft-MitarbeiterInnen verwickeln Sie dann in ein Gespräch und bieten Ihnen an, das Problem gemeinsam zu lösen. Achtung: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-microsoft-anrufen/ ∗∗∗ Photo editor Android app STILL sitting on Google Play store is malware ∗∗∗ --------------------------------------------- An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the users Facebook credentials to potentially run ad campaigns on the users behalf, with their payment information. The app has scored over 5K installs, with similar spyware apps having 500K+ installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/photo-editor-android-app-sti… ∗∗∗ How cyberattacks are changing according to new Microsoft Digital Defense Report ∗∗∗ --------------------------------------------- Get the latest expert insights on human-operated ransomware, phishing attacks, malware, and more to get ahead of these threats before they begin. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/11/how-cyberattacks-are-cha… ∗∗∗ SnapMC skips ransomware, steals data ∗∗∗ --------------------------------------------- Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the [...] --------------------------------------------- https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/ ∗∗∗ Reverse engineering and decrypting CyberArk vault credential files ∗∗∗ --------------------------------------------- This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. --------------------------------------------- https://blog.fox-it.com/2021/10/12/reverse-engineering-and-decrypting-cyber… ∗∗∗ New Trickbot and BazarLoader campaigns use multiple delivery vectors ∗∗∗ --------------------------------------------- Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloade… ∗∗∗ Inside Apple: How macOS attacks are evolving ∗∗∗ --------------------------------------------- Our Apple expert Thomas Reed went to the Objective by the Sea security conference. Heres what he learned about macOS attacks. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-ma… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released nearly a dozen security advisories describing a total of more than 50 vulnerabilities affecting their products. The companies have released patches and mitigations to address these vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ ASEC Weekly Malware Statistics (September 27th, 2021 – October 3rd, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 27th, 2021 (Monday) to October 3rd, 2021 (Sunday). For the main category, info-stealer ranked top with 63.2%, followed by Downloader with 19.2%, RAT (Remote Administration Tool) malware with 10.7%, Backdoor Downloader with 3.7%, Ransomware with 1.9%, CoinMiner with 1.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/27577/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer könnten digitale Unterschrift in LibreOffice und OpenOffice fälschen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Office-Pakete LibreOffice und OpenOffice. --------------------------------------------- https://heise.de/-6214784 ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, buffer overflows ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two vulnerabilities in the Anker Eufy Homebase. The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem. --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-anker-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid). --------------------------------------------- https://lwn.net/Articles/872696/ ∗∗∗ # SSA-163251: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. Siemens has released an update for SINEC NMS and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163251.txt ∗∗∗ # SSA-173565: Denial-of-Service Vulnerability in RUGGEDCOM ROX Devices ∗∗∗ --------------------------------------------- The latest update for RUGGEDCOM ROX devices fixes a vulnerability that could allow an unauthenticated attacker to cause a permanent Denial-of-Service condition under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-173565.txt ∗∗∗ # SSA-178380: Denial-of-Service Vulnerability in SINUMERIK Controllers ∗∗∗ --------------------------------------------- A Denial-of-Service vulnerability found in SINUMERIK Controllers could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. Siemens has released an update for the SINUMERIK 828D and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-178380.txt ∗∗∗ # SSA-280624: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or trigger buffer overflows. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-280624.txt ∗∗∗ Advantech WebAccess SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authorization vulnerability in the Advantech WebAccess SCADA HMI platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, and Stack-based Buffer Overflow vulnerabilities in the Advantech WebAccess HMI platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- This advisory contains mitigations for Classic Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in Schneider Electric IGSS (Interactive Graphical SCADA System) software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-03 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1053 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2021
by Daily end-of-shift report 11 Oct '21

11 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-10-2021 18:00 − Montag 11-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Missbrauch mit Malware-Befall: Microsoft deaktiviert Excel 4.0-Makros in Office ∗∗∗ --------------------------------------------- Gegen immer mehr Angriffe über Excel-Makros geht Microsoft nun vor: Standardmäßig werden alle Excel 4.0-Makros in Office 365 demnächst deaktiviert. --------------------------------------------- https://heise.de/-6213387 ∗∗∗ Kaufen Sie nicht in Shops mit @thateer.top Mail-Adressen ein! ∗∗∗ --------------------------------------------- Derzeit tauchen zahlreiche Fake-Shops im Internet auf, die alle ähnlich aufgebaut sind, die gleichen Texte verwenden und unter einer dieser E-Mail-Adressen erreichbar sind: [...] --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-shops-mit-thatee… ∗∗∗ Ransomware wegen Homeoffice auf dem Vormarsch ∗∗∗ --------------------------------------------- Bedingt durch die Coronavirus-Pandemie arbeiten seit 2020 Menschen vermehrt im Homeoffice. Leider konnte die Absicherung dieser Arbeitsplätze mit dieser Entwicklung nicht Schritt halten. Gleichzeitig hat die Cyberkriminalität mit der verstärkten Telearbeit in Unternehmen durch die Pandemiekrise weiter aufgerüstet und ihre [...] --------------------------------------------- https://www.borncity.com/blog/2021/10/11/ransomware-auf-dem-vormarsch/ ∗∗∗ The 5 Phases of Zero Trust Adoption ∗∗∗ --------------------------------------------- Zero trust aims to replace implicit trust with explicit, continuously adaptive trust across users, devices, networks, applications, and data. --------------------------------------------- https://www.darkreading.com/endpoint/the-5-phases-of-zero-trust-adoption ∗∗∗ Scanning for Previous Oracle WebLogic Vulnerabilities, (Sat, Oct 9th) ∗∗∗ --------------------------------------------- In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch's limitations. The POST contains an init.sh script which doesn't appear to be available for download. --------------------------------------------- https://isc.sans.edu/diary/rss/27918 ∗∗∗ Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th) ∗∗∗ --------------------------------------------- If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27924 ∗∗∗ When criminals go corporate: Ransomware-as-a-service, bulk discounts and more ∗∗∗ --------------------------------------------- This summer, Abnormal Security discovered that some of its customers staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the "profits". --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/10/11/ransomware_a… ∗∗∗ CISA Releases Remote Access Guidance for Government Agencies ∗∗∗ --------------------------------------------- The United States Cybersecurity and Infrastructure Security Agency (CISA) last week announced the release a new guidance document: Trusted Internet Connections (TIC) 3.0 Remote User Use Case. --------------------------------------------- https://www.securityweek.com/cisa-releases-remote-access-guidance-governmen… ∗∗∗ InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks ∗∗∗ --------------------------------------------- Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available. --------------------------------------------- https://www.securityweek.com/inhand-router-flaws-could-expose-many-industri… ∗∗∗ Protect your network ∗∗∗ --------------------------------------------- So, you know where your wallet is, yes? And your phone - it's in your pocket, or just over there on the table? Excellent. You might be reading this on your laptop, so you know where that is. You might have a snazzy Smart TV or two? Perhaps you have joined [...] --------------------------------------------- https://connect.geant.org/2021/10/11/protect-your-network ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm). --------------------------------------------- https://lwn.net/Articles/872547/ ∗∗∗ Security Advisory - Use-after-free Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei PC Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-3757 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerability CVE-2021-31525 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ MediaWiki Extensions und Skins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1050 ∗∗∗ Apache OpenOffice und LibreOffice: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1051 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2021
by Daily end-of-shift report 08 Oct '21

08 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-10-2021 18:00 − Freitag 08-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rapid RYUK Ransomware Attack Group Christened as FIN12 ∗∗∗ --------------------------------------------- Prolific ransomware cybercrime groups approach underscores a complicated, layered model of cybercrime. --------------------------------------------- https://www.darkreading.com/attacks-breaches/rapid-ryuk-ransomware-attack-g… ∗∗∗ Sorting Things Out - Sorting Data by IP Address, (Fri, Oct 8th) ∗∗∗ --------------------------------------------- One thing that is huge in making sense of large volumes of data is sorting. Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest. --------------------------------------------- https://isc.sans.edu/diary/rss/27916 ∗∗∗ Free BrewDog beer, with a side order of shareholder PII? ∗∗∗ --------------------------------------------- BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers. --------------------------------------------- https://www.pentestpartners.com/security-blog/free-brewdog-beer-with-a-side… ∗∗∗ FontOnLake: Previously unknown malware family targeting Linux ∗∗∗ --------------------------------------------- ESET researchers discover a malware family with tools that show signs they’re used in targeted attacks. --------------------------------------------- https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-mal… ∗∗∗ NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guid… ∗∗∗ Microsoft to disable Excel 4.0 macros, one of the most abused Office features ∗∗∗ --------------------------------------------- Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year [...] --------------------------------------------- https://therecord.media/microsoft-to-disable-excel-4-0-macros-one-of-the-mo… ∗∗∗ Malicious PowerPoint Files Constantly Being Distributed ∗∗∗ --------------------------------------------- On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them. --------------------------------------------- https://asec.ahnlab.com/en/26597/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/872267/ ∗∗∗ Google Patches Four Severe Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google this week announced the release of an updated Chrome version for Windows, Mac and Linux, to address a total of four high-severity vulnerabilities in the browser. --------------------------------------------- https://www.securityweek.com/google-patches-four-severe-vulnerabilities-chr… ∗∗∗ Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ∗∗∗ --------------------------------------------- On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-h… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-23436 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors (CVE-2021-29906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39135 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Access Control Vulnerability Affects the User Interface of IBM Sterling File Gateway (CVE-2020-4654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-vulnerabil… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Packet Capture contains multiple vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251, CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39134 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2020-5008) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1049 ∗∗∗ Johnson Controls exacqVision Server Bundle ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01 ∗∗∗ Mobile Industrial Robots Vehicles and MiR Fleet Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-02 ∗∗∗ Johnson Controls exacqVision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-04 ∗∗∗ InHand Networks IR615 Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06 ∗∗∗ FATEK Automation Communication Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2021
by Daily end-of-shift report 07 Oct '21

07 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-10-2021 18:00 − Donnerstag 07-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Air-Gap-Hack: LAN-Kabel als Antenne nutzen, um Daten auszuleiten ∗∗∗ --------------------------------------------- Auch wenn ein Netzwerk nicht mit dem Internet verbunden ist, lassen sich Daten ausleiten. Dazu hat ein Forscher ein LAN-Kabel zur Antenne umfunktioniert. --------------------------------------------- https://www.golem.de/news/air-gap-hack-lan-kabel-als-antenne-nutzen-um-date… ∗∗∗ Cisco schließt Root-Lücke in Intersight Virtual Appliance ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Software wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-6211537 ∗∗∗ Neue Malware-Familie für Linux entdeckt ∗∗∗ --------------------------------------------- Die von ihren Entdeckern FontOnLake getaufte Malware-Familie aus trojanisierten Programmen, Backdoors und einem Rootkit eignet sich für gezielte Angriffe. --------------------------------------------- https://heise.de/-6211764 ∗∗∗ Tor Browser und Tails: Anonymisierender Browser & OS in abgesicherten Versionen ∗∗∗ --------------------------------------------- Etwas später als geplant ist eine neue Version der Linux-Distribution Tails erschienen. An Bord hat sie den ebenfalls taufrischen Tor Browser 10.5.8. --------------------------------------------- https://heise.de/-6211744 ∗∗∗ Hackers use stealthy ShellClient malware on aerospace, telco firms ∗∗∗ --------------------------------------------- Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-stealthy-shellcl… ∗∗∗ Unpatched Dahua cams vulnerable to unauthenticated remote access ∗∗∗ --------------------------------------------- Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnera… ∗∗∗ MacOS Security: What Security Teams Should Know ∗∗∗ --------------------------------------------- As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees. --------------------------------------------- https://www.darkreading.com/edge-articles/mac-attacks-how-secure-are-the-ma… ∗∗∗ Ransomware in the CIS ∗∗∗ --------------------------------------------- Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker. --------------------------------------------- https://securelist.com/cis-ransomware/104452/ ∗∗∗ Apache HTTP Server CVE-2021-41773 Exploited in the Wild ∗∗∗ --------------------------------------------- On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. --------------------------------------------- https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-417… ∗∗∗ Medtronics Insulin Pump Controllers Are Vulnerable to Hackers ∗∗∗ --------------------------------------------- The company just expanded its recall of insulin pump remote controllers that can be hijacked to alter insulin amounts. Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorized people could hijack the devices to alter how much insulin is delivered to a patient. --------------------------------------------- https://gizmodo.com/medtronics-insulin-pump-controllers-are-vulnerable-to-h… ∗∗∗ Life is Pane: Persistence via Preview Handlers ∗∗∗ --------------------------------------------- [...] The preview pane allows users to have a quick peek at the content of a selected file without actually having to open it. This feature is disabled on default Windows 10 builds, but can be enabled in the Explorer menu under View→Preview pane. While this seems relatively simple at face value, it is anything but under the hood. For example, how does Windows know how to display the contents of certain filetypes but not others? Are the previews controlled by Explorer or is it done in another process? Are these handlers abusable? We spent a few days exploring preview handlers to gain a deeper understanding of how they work and answer these questions. --------------------------------------------- https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3… ∗∗∗ CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation ∗∗∗ --------------------------------------------- In June of 2021, Microsoft released a patch to correct CVE-2021-26420 - a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu 16 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, sechs als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2021-10-07 ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: Cisco ATA19X Privilege Escalation and RCE ∗∗∗ --------------------------------------------- 1. Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the “user” account from performing “admin”-privileged actions. As such, a user who logs in with “user” privileges is able to perform actions that should only be performed by an “admin” user. 2. Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers [...] --------------------------------------------- https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalati… ∗∗∗ CVE-2021-33602: Denial-of-Service (DoS) Vulnerabilty ∗∗∗ --------------------------------------------- A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine. --------------------------------------------- https://www.f-secure.com/en/business/support-and-downloads/security-advisor… ∗∗∗ Typo3: Neue Version schließt zwei Sicherheitslücken im CMS ∗∗∗ --------------------------------------------- Lücken im Content-Management-System hätten Angreifern schlimmstenfalls Admin-Rechte gewähren können. Die neue Typo3-Version 11.5 bannt die Gefahr. --------------------------------------------- https://heise.de/-6211486 ∗∗∗ High Severity Vulnerability Patched in Access Demo Importer Plugin ∗∗∗ --------------------------------------------- On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 [...] --------------------------------------------- https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle). --------------------------------------------- https://lwn.net/Articles/872154/ ∗∗∗ Apache OpenOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1041 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2021
by Daily end-of-shift report 06 Oct '21

06 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-10-2021 18:00 − Mittwoch 06-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Collaborative Research on the CONTI Ransomware Group ∗∗∗ --------------------------------------------- Ransomware remains one of the pre-eminent cyber threats, with the evolution in tactics, techniques and procedures (TTPs) amongst threat actor groups over recent years upping the stakes for both victims and defenders. --------------------------------------------- https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-… ∗∗∗ Syniverse: Möglicherweise SMS von Milliarden Menschen gehackt ∗∗∗ --------------------------------------------- Hacker sind über Jahre in ein Unternehmen eingedrungen, das Anrufe und SMS zwischen Mobilfunkunternehmen austauscht. --------------------------------------------- https://www.golem.de/news/syniverse-moeglicherweise-sms-von-milliarden-mens… ∗∗∗ Threat hunting in large datasets by clustering security events ∗∗∗ --------------------------------------------- Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. --------------------------------------------- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets… ∗∗∗ Landespolizeidirektion Steiermark: Warnung vor Betrugsversuchen mittels LPD-SMS ∗∗∗ --------------------------------------------- Am Montag, 4. Oktober 2021, versendeten unbekannte Täter in betrügerischer Absicht SMS Nachrichten. Als Absender scheint "Landespolizeidirektion (LPD) auf". Die Polizei warnt eindringlich vor diesen Betrugsversuchen. --------------------------------------------- https://www.watchlist-internet.at/news/landespolizeidirektion-steiermark-wa… ∗∗∗ Unsere Tipps, um unseriöse Notfalldienste zu entlarven! ∗∗∗ --------------------------------------------- Bei Notfällen wie einem Rohrbruch, Stromausfall oder einem Gasgebrechen ist schnelle Hilfe notwendig. Häufig bleibt da für eine genaue Überprüfung der Handwerksdienste keine Zeit. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-tipps-um-unserioese-notfalldi… ∗∗∗ Cybersecurity in Power Grids: Challenges and Opportunities. (arXiv:2105.00013v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- Increasing volatilities within power transmission and distribution forcepower grid operators to amplify their use of communication infrastructure tomonitor and control their grid. The resulting increase in communication creates a larger attack surface for malicious actors. --------------------------------------------- http://arxiv.org/abs/2105.00013 ===================== = Vulnerabilities = ===================== ∗∗∗ Actively exploited Apache 0-day also allows remote code execution ∗∗∗ --------------------------------------------- Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed. These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlicht 31 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3). --------------------------------------------- https://lwn.net/Articles/872029/ ∗∗∗ FortiWebManager - Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-027 ∗∗∗ FortiAnalyzer & FortiManager - Forticloud credentials observed in cleartext in the logfile ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-112 ∗∗∗ FortiSDNConnector - Credential leak ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-183 ∗∗∗ FortiClientEMS - Session cookie does not expire after logout ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-072 ∗∗∗ XSA-386 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-386.html ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1034 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-01 ∗∗∗ Emerson WirelessHART Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 ∗∗∗ Moxa MXview Network Management Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-03 ∗∗∗ Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSMA-18-219-02 ∗∗∗ CISA Releases Security Advisory for Honeywell Experion and ACE Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily