- Daily - CERT.at

Tageszusammenfassung - 08.02.2021
by Daily end-of-shift report 08 Feb '21

08 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-02-2021 18:00 − Montag 08-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ IT-Security: Google bietet Datenbank zu Lücken in Open-Source-Software ∗∗∗ --------------------------------------------- Ob eigene Software oder Abhängigkeiten von Sicherheitslücken betroffen ist, ist teils nicht leicht herauszufinden. Google will hier helfen. --------------------------------------------- https://www.golem.de/news/it-security-google-bietet-datenbank-zu-luecken-in… ∗∗∗ FOSDEM: Hacker auf dem eigenen Honeypot-Server beobachten ∗∗∗ --------------------------------------------- Auf der FOSDEM haben zwei Entwickler eine raffinierte Methode vorgestellt, einen eigenen SSH-Honeypot zu bauen und den Hackern über die Schulter zu schauen. --------------------------------------------- https://heise.de/-5048084 ∗∗∗ Die Macher der Ransomware Ziggy bereuen ihre Taten und geben auf ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner Ziggy eingefangen hat, kann seine Daten nun mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-5048379 ∗∗∗ Barcode Scanner app on Google Play infects 10 million users with one update ∗∗∗ --------------------------------------------- In a single update, a popular barcode scanner app that had been on Google Play for years turned into malware. ... Google quickly removed the app from its store. ... Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. --------------------------------------------- https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google… ∗∗∗ Reverse Engineering Keys from Firmware.A how-to ∗∗∗ --------------------------------------------- It is possible to reverse engineer keys from firmware with some tips: * Always looks for strings/constants. * Make guesses about the original source. * Find a function you can recognise and work backwards to identify other functions. * It helps if they use open-source code so you can crib from it. --------------------------------------------- https://www.pentestpartners.com/security-blog/reverse-engineering-keys-from… ∗∗∗ Erpressung per E-Mail: Kriminelle behaupten, Sie beim Masturbieren gefilmt zu haben ∗∗∗ --------------------------------------------- Aktuell werden wieder massenhaft betrügerische Erpressungsmails versendet. Kriminelle behaupten, sie hätten Ihren Computer gehackt und Sie beim Surfen auf Porno-Webseiten erwischt. Angeblich wurden Sie dabei beim Masturbieren gefilmt. Der unbekannte Absender droht nun damit, dieses Video an all Ihre Kontakte zu senden. Ignorieren Sie dieses E-Mail und antworten Sie auch nicht! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-beh… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox und Tor Browser: Update schließt kritische Lücke und blockiert NTFS-Bug ∗∗∗ --------------------------------------------- Versionsupdates für Firefox, Firefox ESR und Tor Browser beseitigen eine Windows-spezifische Sicherheitslücke und bringen zudem einige Bugfixes mit. --------------------------------------------- https://heise.de/-5048403 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu). --------------------------------------------- https://lwn.net/Articles/845426/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0135 ∗∗∗ BlackBerry Powered by Android Security Bulletin - February 2021 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: The Ubuntu ca-certificates have been updated in Watson Machine Learning Community Edition containers due to expiration. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ubuntu-ca-certificate… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2021
by Daily end-of-shift report 05 Feb '21

05 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-02-2021 18:00 − Freitag 05-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Hackers steal StormShield firewall source code in data breach ∗∗∗ --------------------------------------------- Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the companys support ticket system and steal source code for Stormshield Network Security firewall software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-fi… ∗∗∗ Free coffee! Belgian researcher hacks prepaid vending machines ∗∗∗ --------------------------------------------- Only try this at home, folks! As easy as it might look, its illegal in the wild, with good reason. --------------------------------------------- https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-ha… ∗∗∗ Stack Canaries – Gingerly Sidestepping the Cage ∗∗∗ --------------------------------------------- Tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. --------------------------------------------- https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage ∗∗∗ [SANS ISC] VBA Macro Trying to Alter the Application Menus ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive techniqueThe post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2021/02/05/sans-isc-vba-macro-trying-to-alter-the… ∗∗∗ Abusing Google Chrome extension syncing for data exfiltration and C&C ∗∗∗ --------------------------------------------- I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. --------------------------------------------- https://isc.sans.edu/diary/rss/27066 ∗∗∗ besondereprasente.com: Fordern Sie Ihr Geld zurück! ∗∗∗ --------------------------------------------- Obwohl die Webseite besondereprasente.com gar nicht mehr existiert, erhält die Watchlist Internet nach wie vor zahlreiche Meldungen zu diesem Fake-Shop. Der Grund: Wer bei besondereprasente.com bestellt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/besondereprasentecom-fordern-sie-ihr… ∗∗∗ Plex Media servers are being abused for DDoS attacks ∗∗∗ --------------------------------------------- Cyber-security firm Netscout warns of new DDoS attack vector. --------------------------------------------- https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-… ∗∗∗ Kasperksy warnt vor Krypto-Scam ∗∗∗ --------------------------------------------- Kapersky hat ein neues Scam-System entdeckt, das es mit verlockenden Angeboten von angeblichen neuen Kryptobörsen auf Anwender von Discord abgesehen hat. --------------------------------------------- https://www.zdnet.de/88393274/kasperksy-warnt-vor-krypto-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day im Chrome-Browser: Jetzt Update einspielen ∗∗∗ --------------------------------------------- Eine aktiv ausgenutzte Schwachstelle im Chrome-Browser gefährdet die meisten Betriebssysteme. Google hat ein Update. --------------------------------------------- https://heise.de/-5046783 ∗∗∗ Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style ∗∗∗ --------------------------------------------- On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sit… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna). --------------------------------------------- https://lwn.net/Articles/845191/ ∗∗∗ WordPress Plugin "Name Directory" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50470170/ ∗∗∗ Security Bulletin: Watson Machine Learning Community Edition docker containers have been updated to fix a security issue in libcurl ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-c… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning 1.6.2 and 1.7.0 has been patched for various security issues in nanopb. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: IBM API Connect is impacted by insecure web server configuration (CVE-2020-4825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: PowerHA System Mirror for AIX vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powerha-system-mirror-for… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2021
by Daily end-of-shift report 04 Feb '21

04 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-02-2021 18:00 − Donnerstag 04-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices ∗∗∗ --------------------------------------------- 28 malicious extensions disguised traffic as Google Analytics data. --------------------------------------------- https://arstechnica.com/?p=1739523 ∗∗∗ New Fonix ransomware decryptor can recover victims files for free ∗∗∗ --------------------------------------------- Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fonix-ransomware-decrypt… ∗∗∗ How to Audit Password Changes in Active Directory ∗∗∗ --------------------------------------------- Todays admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. --------------------------------------------- https://thehackernews.com/2021/02/how-to-audit-password-changes-in-active.h… ∗∗∗ Project Zero: Déjà vu-lnerability ∗∗∗ --------------------------------------------- A Year in Review of 0-days Exploited In-The-Wild in 2020 --------------------------------------------- https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html ∗∗∗ E-Tretroller sind leicht zu überwachen und zu manipulieren ∗∗∗ --------------------------------------------- Die Apps der Verleiher sind sehr auskunftsfreudig. Mit den übertragenen Daten lässt sich ein E-Tretroller sogar während der Fahrt abschalten. --------------------------------------------- https://heise.de/-5045945 ∗∗∗ Browser sync—what are the risks of turning it on? ∗∗∗ --------------------------------------------- Browser synchronization is a handy feature but it comes with a few risks. Heres what you should be asking yourself before you switch it on. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/02/browser-sync-what-are-the-r… ∗∗∗ This old form of ransomware has returned with new tricks and new targets ∗∗∗ --------------------------------------------- Cerber was once the most common form of ransomware - and now its back, years after its heyday. --------------------------------------------- https://www.zdnet.com/article/this-old-form-of-ransomware-has-returned-with… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB21-09) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB21-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for the week of February 09, 2021. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1967 ∗∗∗ Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices ∗∗∗ --------------------------------------------- Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a devices wireless communications. --------------------------------------------- https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.ht… ∗∗∗ Jetzt patchen! Sicherheitsupdate für SonicWall SMA 100 ist da ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf das Fernzugriffsystem SMA 100 von SonicWall abgesehen. Nun gibt es Patches. --------------------------------------------- https://heise.de/-5045657 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3). --------------------------------------------- https://lwn.net/Articles/845088/ ∗∗∗ Panasonic Video Insight VMS vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42252698/ ∗∗∗ ZDI-21-151: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-151/ ∗∗∗ ZDI-21-150: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-150/ ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2020-14781 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM SDK Java Quarterly CPU Jul 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-quarterly-cp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ wpa_supplicant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0129 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX291439 ∗∗∗ Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-02 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2021
by Daily end-of-shift report 03 Feb '21

03 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-02-2021 18:00 − Mittwoch 03-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Excel spreadsheets push SystemBC malware, (Wed, Feb 3rd) ∗∗∗ --------------------------------------------- This Excel spreadsheet pushed what might be SystemBC malware when I tested it in my lab environment on Monday 2021-02-01. --------------------------------------------- https://isc.sans.edu/diary/rss/27060 ∗∗∗ Interview with a LockBit ransomware operator ∗∗∗ --------------------------------------------- In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews. --------------------------------------------- https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomwar… ∗∗∗ Hildegard: New TeamTNT Malware Targeting Kubernetes ∗∗∗ --------------------------------------------- Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations. --------------------------------------------- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ∗∗∗ Gefälschte Rechnung für Desinfektionsmittel im Umlauf! ∗∗∗ --------------------------------------------- Viele Unternehmen müssen aufgrund der Coronakrise stärkere Hygienemaßnahmen umsetzen. Dazu zählt auch die Bereitstellung von Desinfektionsmittel. Für viele ist es daher wohl wenig überraschend, wenn sich im E-Mail-Posteingang eine Rechnung für bestellte Desinfektionsmittel findet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-rechnung-fuer-desinfekti… ===================== = Vulnerabilities = ===================== ∗∗∗ Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities ∗∗∗ --------------------------------------------- In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates). --------------------------------------------- https://lwn.net/Articles/844948/ ∗∗∗ Recent root-giving Sudo bug also impacts macOS ∗∗∗ --------------------------------------------- A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account. --------------------------------------------- https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-maco… ∗∗∗ Cisco Security Advisories 2021-02-03 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security Advisory - Improper Resource Management Vulnerability in eUDC660 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Information Processing Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Huawei ManageOne Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210202-… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a remote code execution vulnerability (CVE-2020-4682) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 affected by Apache Cassandra vulnerability (CVE-2020-13946) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind vulnerability CVE-2021-20190 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-vulnerab… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Cloud Pak For Security vulnerable to potential information disclosure through HTTP headers (CVE-2020-4967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into command log files (CVE-2020-4889) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF) (CVE-2020-4787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability (CVE-2020-4165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection Vulnerability (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Bouncy Castle Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bouncy-castle-vulnerabili… ∗∗∗ February 2, 2021 TNS-2021-01 [R1] Nessus AMI 8.13.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-01 ∗∗∗ Linux kernel vulnerability CVE-2020-14385 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84900646 ∗∗∗ D-LINK Router DNS-320: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0122 ∗∗∗ Rockwell Automation MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-01 ∗∗∗ Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 ∗∗∗ 2019-08Hirschmann RSP, RSPE, and OS2 series HSR denial of service vulnerability ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12276-sour… ∗∗∗ 2021-02ICX35 Local Web Based Configuration Interface Password Set ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12277-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2021
by Daily end-of-shift report 02 Feb '21

02 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-02-2021 18:00 − Dienstag 02-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Linux malware steals SSH credentials from supercomputers ∗∗∗ --------------------------------------------- A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-steals-ssh… ∗∗∗ Malicious script steals credit card info stolen by other hackers ∗∗∗ --------------------------------------------- A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-script-steals-cred… ∗∗∗ New Threat: Matryosh Botnet Is Spreading ∗∗∗ --------------------------------------------- On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirais characteristics. --------------------------------------------- https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/ ∗∗∗ New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd) ∗∗∗ --------------------------------------------- Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/27056 ∗∗∗ Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques ∗∗∗ --------------------------------------------- Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. --------------------------------------------- https://thehackernews.com/2021/02/agent-tesla-malware-spotted-using-new.html ∗∗∗ Operation Dream Job by Lazarus ∗∗∗ --------------------------------------------- Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot. --------------------------------------------- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html ∗∗∗ New Trickbot module uses Masscan for local network reconnaissance ∗∗∗ --------------------------------------------- The new Trickbot module is used to scan local networks for other nearby systems with open ports that could be hacked for quick lateral movement inside a company. --------------------------------------------- https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-ne… ∗∗∗ Microsoft tracked a system sending a million malware emails a month. Heres what it discovered ∗∗∗ --------------------------------------------- Emerging attacker email infrastructure now sends over a million malware-laden emails each month. --------------------------------------------- https://www.zdnet.com/article/microsoft-tracked-a-system-sending-a-million-… ∗∗∗ Operation NightScout: Supply‑chain attack targets online gaming in Asia ∗∗∗ --------------------------------------------- ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia. --------------------------------------------- https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain… ∗∗∗ Gewinnspiel im Namen von Hofer führt in Abo-Falle ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Hofer aus und informieren via E-Mail über einen angeblichen Gewinn. --------------------------------------------- https://www.watchlist-internet.at/news/gewinnspiel-im-namen-von-hofer-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/125331 ∗∗∗ DSA-4843 linux - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. --------------------------------------------- https://www.debian.org/security/2021/dsa-4843 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/apple-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu). --------------------------------------------- https://lwn.net/Articles/844865/ ∗∗∗ Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks ∗∗∗ --------------------------------------------- Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild. --------------------------------------------- https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-expl… ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2021
by Daily end-of-shift report 01 Feb '21

01 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-01-2021 18:00 − Montag 01-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st) ∗∗∗ --------------------------------------------- Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised. The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches. But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol". --------------------------------------------- https://isc.sans.edu/diary/rss/27054 ∗∗∗ Hintermänner der Fonix-Ransomware geben auf und veröffentlichen Master-Schlüssel ∗∗∗ --------------------------------------------- Opfer des Verschlüsselungstrojaner Fonix sehen Licht am Ende des Tunnels. --------------------------------------------- https://heise.de/-5041914 ∗∗∗ SonicWall zero-day exploited in the wild ∗∗∗ --------------------------------------------- Security firm NCC Group said it detected "indiscriminate" exploitation of a mysterious SonicWall zero-day. --------------------------------------------- https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/ ∗∗∗ Shodan Verified Vulns 2021-02-01 ∗∗∗ --------------------------------------------- Wieder ist ein Monat vergangen und damit auch wieder die Zeit gekommen, um einen Blick auf Shodans Daten zu den Verified Vulnerabilities in Österreich zu werfen. --------------------------------------------- https://cert.at/de/aktuelles/2021/2/shodan-verified-vulns-2021-02-01 ∗∗∗ Trickbot feiert Comeback ∗∗∗ --------------------------------------------- Kaum ist die Freude über die Zerschlagung von Emotet verklungen, feiert ein anderes Malware-Netzwerk namens Trickbot nach einigen Monaten Stille ein Comeback. --------------------------------------------- https://www.zdnet.de/88393163/trickbot-feiert-comeback/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges. [...] Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WordPress-Plug-in Popup Builder: Angreifer könnten Newsletter verschicken ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das WordPress-Plug-in Popup Builder. --------------------------------------------- https://heise.de/-5041788 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox, rubygem-nokogiri) and Ubuntu (mysql-5.7, mysql-8.0, python-django). --------------------------------------------- https://lwn.net/Articles/844749/ ∗∗∗ Sudo vulnerability CVE-2021-3156 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K86488846?utm_source=f5support&utm_mediu… ∗∗∗ Critical vulnerability in Apple iOS WebKit browser components can impact users of the BIG-IP APM F5 Access client ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58149033?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2021
by Daily end-of-shift report 29 Jan '21

29 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-01-2021 18:00 − Freitag 29-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Perl.com domain stolen, now using IP address tied to malware ∗∗∗ --------------------------------------------- The domain name perl.com was stolen this week and is now points to an IP address associated with malware campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/perlcom-domain-stolen-now-us… ∗∗∗ A Look at iMessage in iOS 14 ∗∗∗ --------------------------------------------- On December 20, Citizenlab published “The Great iPwn”, detailing how “Journalists [were] Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit”. Of particular interest is the following note: “We do not believe that [the exploit] works against iOS 14 and above, which includes new security protections''. Given that it is also now almost exactly one year ago since we published the Remote iPhone Exploitation blog post series, in which we described how an iMessage 0-click exploit can work in practice and gave a number of suggestions on how similar attacks could be prevented in the future, now seemed like a great time to dig into the security improvements in iOS 14 in more detail and explore how Apple has hardened their platform against 0-click attacks. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14… ∗∗∗ Sensitive Data Shared with Cloud Services, (Fri, Jan 29th) ∗∗∗ --------------------------------------------- Yesterday was the data protection day in Europe. I was not on duty so Im writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild: 14GB compressed, 77M credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/27042 ∗∗∗ Attacks on Individuals Fall as Cybercrime Shifts Tactics ∗∗∗ --------------------------------------------- Cybercriminals shifted away from stealing individual consumers’ information in 2020 to focus on bigger, more profitable attacks on businesses, according to a report from the Identity Theft Resource Center. --------------------------------------------- https://www.securityweek.com/attacks-individuals-fall-cybercrime-shifts-tac… ∗∗∗ Identitätsdiebstahl durch betrügerische Jobangebote boomen! ∗∗∗ --------------------------------------------- Der Arbeitsmarkt in Österreich ist weiterhin angespannt. Das macht sich auch im Bereich des Internetbetrugs bemerkbar. So melden unsere LeserInnen immer wieder, dass sie bei der Suche nach einem Nebenverdienst auf ein betrügerisches Job-Angebot gestoßen sind. Das Ziel hinter dieser Betrugsmasche: Die BetrügerInnen versuchen die Identität der Opfer zu klauen, manchmal wird auch ein Konto im Namen der Betroffenen eröffnet. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-durch-betrueger… ∗∗∗ Don’t stop at alert(1): Demonstrate impact with low severity bugs ∗∗∗ --------------------------------------------- When trying to discover vulnerabilities in a web application, you may not always come across high or critical severity bugs, and only end up finding low-medium severity issues like cross-site scripting (XSS). When that is the case, it is worth seeing how far those bugs can take you, since low severity vulnerabilities can still have a large effect when leveraged as part of a more impactful attack chain. --------------------------------------------- https://medium.com/tenable-techblog/dont-stop-at-alert-1-demonstrate-impact… ===================== = Vulnerabilities = ===================== ∗∗∗ Libgcrypt: Warnung vor schwerem Fehler in GnuPG-Kryptobibliothek ∗∗∗ --------------------------------------------- Die jüngste Version der Verschlüsselungsbibliothek Libgcrypt, die unter anderem von GnuPG verwendet wird, soll eine schwere Sicherheitslücke haben. --------------------------------------------- https://www.golem.de/news/libgcrypt-warnung-vor-schwerem-fehler-in-gnupg-kr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java). --------------------------------------------- https://lwn.net/Articles/844521/ ∗∗∗ Rockwell Automation FactoryTalk Linx and FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for Classic Buffer overflow, and Improper Check or Handling of Exceptional Conditions vulnerabilities in Rockwell Automations FactoryTalk Linx and FactoryTalk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-028-01 ∗∗∗ SSA-520004: Telnet Authentication Vulnerability in SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-520004.txt ∗∗∗ Linksys Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2021
by Daily end-of-shift report 28 Jan '21

28 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-01-2021 18:00 − Donnerstag 28-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th) ∗∗∗ --------------------------------------------- Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal). --------------------------------------------- https://isc.sans.edu/diary/rss/27036 ∗∗∗ Italy CERT Warns of a New Credential Stealing Android Malware ∗∗∗ --------------------------------------------- Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. --------------------------------------------- https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html ∗∗∗ CISA Malware Analysis on Supernova ∗∗∗ --------------------------------------------- CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/27/cisa-malware-anal… ∗∗∗ Pro-Ocean: Rocke Group’s New Cryptojacking Malware ∗∗∗ --------------------------------------------- In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero. --------------------------------------------- https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojackin… ∗∗∗ US and Bulgarian authorities disrupt NetWalker ransomware operation ∗∗∗ --------------------------------------------- Authorities seize dark web domains, charge a Canadian, and seize $454,000 in cryptocurrency. --------------------------------------------- https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalke… ∗∗∗ Stack Overflow: Heres what happened when we were hacked back in 2019 ∗∗∗ --------------------------------------------- Company goes into detail on how a hacker used Overflows community knowledge-sharing to figure out how to hack it back in 2019. --------------------------------------------- https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome blocks 7 more ports to stop NAT Slipstreaming attacks ∗∗∗ --------------------------------------------- Google Chrome now blocks access to websites on an additional seven TCP ports to protect against the NAT Slipstreaming 2.0 vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-blocks-7-more-… ∗∗∗ The Wordfence 2020 WordPress Threat Report ∗∗∗ --------------------------------------------- Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress [...] --------------------------------------------- https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-… ∗∗∗ Windows Installer Local Privilege Escalation 0day Gets a Micropatch ∗∗∗ --------------------------------------------- On December 26, security researcher Abdelhamid Naceri published a blog post with a number of 0days in various security products and a local privilege escalation 0day in Windows Installer. --------------------------------------------- https://blog.0patch.com/2021/01/windows-installer-local-privilege.html ∗∗∗ Local Privilege Escalation 0day in PsExec Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/28/2021: Since our publication of micropatch for PsExec version 2.2, PsExec has been updated to versions 2.30, 2.31 and finally 2.32. where it still resides today. David was able to update his POC for each version so the current version 2.32. is still vulnerable to the same attack. --------------------------------------------- https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2,[...] --------------------------------------------- https://lwn.net/Articles/844366/ ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284205 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284202 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284206 ∗∗∗ JasPer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0100 ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0099 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2021
by Daily end-of-shift report 27 Jan '21

27 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-01-2021 18:00 − Mittwoch 27-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet Takedown: Wir informieren Betroffene in Österreich ∗∗∗ --------------------------------------------- In einer koordinierten Aktion von mehreren Strafverfolgungsbehörden wurde das Netzwerk rund um die Malware Emotet ausgeschaltet und übernommen. --------------------------------------------- https://cert.at/de/aktuelles/2021/1/emotet-takedown-wir-informieren-betroff… ∗∗∗ Heres how a researcher broke into Microsoft VS Codes GitHub ∗∗∗ --------------------------------------------- This month a researcher was awarded a bug bounty award of an undisclosed amount after he broke into the official GitHub repository of Microsoft Visual Studio Code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke… ∗∗∗ Linux malware uses open-source tool to evade detection ∗∗∗ --------------------------------------------- AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-malware-uses-open-sour… ∗∗∗ Phishing & Malspam with Leaf PHPMailer ∗∗∗ --------------------------------------------- It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment. --------------------------------------------- https://blog.sucuri.net/2021/01/phishing-malspam-with-leaf-phpmailer.html ∗∗∗ Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication ∗∗∗ --------------------------------------------- FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff… ∗∗∗ Vorsicht beim Online-Kauf von FFP2-Masken! ∗∗∗ --------------------------------------------- Auf den Webseiten givenic.com und quantheco.com werden günstige FFP2-Masken und weitere „COVID-19 Gesundheitstools“ angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-online-kauf-von-ffp2-m… ∗∗∗ LogoKit: Simple, Effective, and Deceptive ∗∗∗ --------------------------------------------- As sophisticated attacks dominate the headlines, its important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/logokit-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple critical patches fix in-the-wild iPhone exploits – update now! ∗∗∗ --------------------------------------------- Apple says. "Additional details available soon", which you can translate as "this one took us by surprise". So patch now! --------------------------------------------- https://nakedsecurity.sophos.com/2021/01/27/apple-critical-patches-fix-in-t… ∗∗∗ New Attack Could Let Remote Hackers Target Devices On Internal Networks ∗∗∗ --------------------------------------------- A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research. --------------------------------------------- https://thehackernews.com/2021/01/new-attack-could-let-remote-hackers.html ∗∗∗ New Docker Container Escape Bug Affects Microsoft Azure Functions ∗∗∗ --------------------------------------------- Cybersecurity researchers today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. --------------------------------------------- https://thehackernews.com/2021/01/new-docker-container-escape-bug-affects.h… ∗∗∗ Sicherheitsupdate: Tor Browser vor möglichen Schadcode-Attacken geschützt ∗∗∗ --------------------------------------------- Wer weiterhin anonym und sicher mit dem Tor Browser im Internet surfen möchte, sollte die aktuelle Version installieren. --------------------------------------------- https://heise.de/-5037561 ∗∗∗ Jetzt updaten: Kritische sudo-Lücke gewährt lokalen Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Über die zehn Jahre alte Lücke CVE-2021-3156 können lokale Angreifer Root-Rechte via sudo ohne sudo-Berechtigungen erlangen. --------------------------------------------- https://heise.de/-5037687 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo). --------------------------------------------- https://lwn.net/Articles/844184/ ∗∗∗ OS command injection vulnerability in multiple Infoscience Corporation log management tools ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41853173/ ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210127-… ∗∗∗ Mozilla Firefox und Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0093 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0097 ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0095 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01 ∗∗∗ Eaton EASYsoft (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 ∗∗∗ Mitsubishi Electric Multiple Products (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01 ∗∗∗ Denial of Service in Rexroth ID 200/C-ETH using EtherNet/IP Protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-775371.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2021
by Daily end-of-shift report 26 Jan '21

26 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-01-2021 18:00 − Dienstag 26-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Fun with NMAP NSE Scripts and DOH (DNS over HTTPS), (Mon, Jan 25th) ∗∗∗ --------------------------------------------- DOH (DNS over HTTPS) has been implemented into the various browsers over the last year or so, and there's a fair amount of support for it on public DNS services. Because it's encrypted and over TCP, the mantra of "because privacy" has carried the day it looks like. But why do network and system admins hate it so? --------------------------------------------- https://isc.sans.edu/diary/rss/27026 ∗∗∗ Apache Software Foundation: Mehr Projekte und mehr Sicherheitswarnungen ∗∗∗ --------------------------------------------- Der Security Report 2020 der Apache Software Foundation zeigt einen Zuwachs an relevanten Sicherheitswarnungen für die Projekte unter dem Dach der Stiftung. --------------------------------------------- https://heise.de/-5035647 ∗∗∗ SMS „Wir konnten Ihr Paket nicht liefern“ ist Betrug ∗∗∗ --------------------------------------------- „Wir konnten Ihr Paket nicht liefern“ lautet eine SMS von InfoTrack. Über den angeführten Link gelangen Sie zu einer Aufforderung, 1 Euro für den Versand zu bezahlen. Doch Vorsicht: Bei dieser Benachrichtigung handelt es sich um eine Betrugsmasche. Wer diese Gebühr bezahlt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/sms-wir-konnten-ihr-paket-nicht-lief… ∗∗∗ New Variant of Ursnif Continuously Targeting Italy ∗∗∗ --------------------------------------------- Ursnif is a well-known banking Trojan with a large number of variants providing a diverse set of capabilities. A report from Fortinet analyzes a new variant of the malware specifically targeting users in Italy. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/669b7072b9792bc67a9d430517e… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt). --------------------------------------------- https://lwn.net/Articles/844054/ ∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Nagios Enterprises Nagios XI ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2021
by Daily end-of-shift report 25 Jan '21

25 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-01-2021 18:00 − Montag 25-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge, version 88 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 88! We have reviewed the settings in Microsoft Edge version 88 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 88 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Video: Doc & RTF Malicious Document, (Sun, Jan 24th) ∗∗∗ --------------------------------------------- I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files. --------------------------------------------- https://isc.sans.edu/diary/rss/27022 ∗∗∗ Scanning for Accessible MS-RDPEUDP services ∗∗∗ --------------------------------------------- We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet. --------------------------------------------- https://www.shadowserver.org/news/scanning-for-accessible-ms-rdpeudp-servic… ∗∗∗ RIFT: Analysing a Lazarus Shellcode Execution Method ∗∗∗ --------------------------------------------- After analysing the macro document, and pivoting on the macro, NCC Group’s RIFT identified a number of other similar documents. In these documents we came across an interesting technique being used to execute shellcode from VBA without the use of common “suspicious” APIs, such as VirtualAlloc, WriteProcessMemory or CreateThread – which may be detected by end point protection solutions. Instead, the macro documents abuse “benign” Windows API features toachieve code-execution. --------------------------------------------- https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode… ∗∗∗ Firewall-Hersteller SonicWall untersucht mögliche Zero-Day-Lücken in Produkten ∗∗∗ --------------------------------------------- Angreifer haben bislang unbekannte Lücken in SonicWall-Produkten ausgenutzt, um ins System des Herstellers einzudringen. --------------------------------------------- https://heise.de/-5033933 ∗∗∗ Von niedrig bis kritisch: Schwachstellenbewertung mit CVSS ∗∗∗ --------------------------------------------- Das Common Vulnerability Scoring System hilft bei der Bewertung von Schwachstellen. Wir erklären Funktionsweise und Grenzen des Systems. --------------------------------------------- https://heise.de/-5031983 ∗∗∗ DNSpooq: Wie sehr spukts in Österreich? ∗∗∗ --------------------------------------------- Am 2021-01-19 veröffentlichte JSOF eine Reihe von Schwachstellen in dnsmasq, einer populären DNS-Resolver Software für kleine Netzwerke. Ihr Blogpost dazu fasst diese Lücken unter dem Namen “DNSpooq" zusammen und beschreibt zwei mögliche Angriffsszenarien: ... --------------------------------------------- https://cert.at/de/aktuelles/2021/1/dnspooq-wie-sehr-spukts-in-osterreich ∗∗∗ Rückblick auf das letzte Drittel 2020 ∗∗∗ --------------------------------------------- Vorfälle und Aussendungen: ZeroLogon, Emotet, Microsoft Exchange CVE-2020-0688, Windows Server ohne Support, Ungepatchte Sophos Firewall XG Instanzen, SonicOS DoS und RCE, cit0day Leak, Ein Leak kommt selten allein, ... --------------------------------------------- https://cert.at/de/blog/2021/1/ruckblick-auf-das-letzte-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry Powered by Android Security Bulletin - January 2021 ∗∗∗ --------------------------------------------- This advisory is in response to the Android Security Bulletin (January 2021) and addresses issues in that Security Bulletin that affect BlackBerry powered by Android smartphones. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (ImageMagick, hawk2, mutt, permissions, stunnel) and Ubuntu (pound). --------------------------------------------- https://lwn.net/Articles/843855/ ∗∗∗ Cisco DNA Center Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Synology-SA-21:01 DNSpooq ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2021
by Daily end-of-shift report 22 Jan '21

22 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-01-2021 18:00 − Freitag 22-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd) ∗∗∗ --------------------------------------------- When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the .jnlp extension. --------------------------------------------- https://isc.sans.edu/diary/rss/27018 ∗∗∗ Magento PHP Injection Loads JavaScript Skimmer ∗∗∗ --------------------------------------------- A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files. --------------------------------------------- https://blog.sucuri.net/2021/01/magento-php-injection-loads-javascript-skim… ∗∗∗ Project Zero: Windows Exploitation Tricks: Trapping Virtual Memory Access ∗∗∗ --------------------------------------------- This blog is a continuation of my series of Windows exploitation tricks. This one describes an exploitation trick I’ve been trying to develop for years, succeeding (mostly, more on that later) on the latest versions of Windows 10. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/windows-exploitation-tricks-… ∗∗∗ Crypto-Miner Dovecat hat es auf Netz-Speicher von Qnap und Synology abgesehen ∗∗∗ --------------------------------------------- Aktuelle Sicherheitshinweise sollen Netzwerkspeicher (NAS) von Qnap und Synology schützen. --------------------------------------------- https://heise.de/-5032679 ∗∗∗ New website launched to document vulnerabilities in malware strains ∗∗∗ --------------------------------------------- Launched by security researcher John Page, the new MalVuln website lists bugs in malware code. --------------------------------------------- https://www.zdnet.com/article/new-website-launched-to-document-vulnerabilit… ∗∗∗ A look at the NIS 2.0 Recitals ∗∗∗ --------------------------------------------- The EU commission dropped a large cyber security package on December 16th 2020, including a first draft for a new version of the NIS Directive. In front of the actual normative legal text, there are 84 recitals, describing the intents of the regulation. --------------------------------------------- https://cert.at/en/blog/2021/1/nis2-recitals-feedback ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 ∗∗∗ --------------------------------------------- Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN38248512/ ∗∗∗ Mehrere Schwachstellen in Selea CarPlateServern und Selea Targa IP OCR-ANPR Kameras ∗∗∗ --------------------------------------------- Zeroscience hat diverse Schwachstellen in zwei Produkten der Firma Selea gefunden. Bei beiden wurden unter anderem Möglichkeiten gefunden, fremden Code auszuführen. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ 0day in Windows 7 and Server 2008 R2 Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/22/2021: This vulnerability did not get patched by December 2020 or January 2021 Extended Security Updates, so we ported our micropatch to these updates. --------------------------------------------- https://blog.0patch.com/2020/11/0day-in-windows-7-and-server-2008-r2.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack). --------------------------------------------- https://lwn.net/Articles/843571/ ∗∗∗ Windows RDP servers are being abused to amplify DDoS attacks ∗∗∗ --------------------------------------------- Windows RDP servers running on UDP port 3389 can be ensnared in DDoS botnets and abused to bounce and amplify junk traffic towards victim networks. --------------------------------------------- https://www.zdnet.com/article/windows-rdp-servers-are-being-abused-to-ampli… ∗∗∗ Delta Electronics ISPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use After Free vulnerability in Delta Electronics ISPSoft PLC program development tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-01 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, and Out-of-bounds Write vulnerabilities in Delta Electronics TPEditor programming software for Delta text panels. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-02 ∗∗∗ Honeywell OPC UA Tunneller ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Out-of-bounds Read, Improper Check for Unusual or Exceptional Conditions, and Uncontrolled Resource Consumption vulnerabilities in Honeywells OPC UA Tunneller software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03 ∗∗∗ Mitsubishi Electric MELFA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electrics MELFA robot controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-04 ∗∗∗ WAGO M&M Software fdtCONTAINER ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in the M&M (a WAGO subsidiary) fdtCONTAINER application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to a denial of service attack (CVE-2020-4766) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects GCM16 & GCM32 KVM Switch Firmware (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple Mozilla Firefox vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Security Vulnerability in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2021
by Daily end-of-shift report 21 Jan '21

21 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-01-2021 18:00 − Donnerstag 21-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop ∗∗∗ --------------------------------------------- One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for? --------------------------------------------- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solor… ∗∗∗ Powershell Dropping a REvil Ransomware, (Thu, Jan 21st) ∗∗∗ --------------------------------------------- I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. --------------------------------------------- https://isc.sans.edu/diary/rss/27012 ∗∗∗ Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw ∗∗∗ --------------------------------------------- A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020. --------------------------------------------- https://www.securityweek.com/scanning-activity-detected-after-release-explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/843413/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are affected by vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser (CVE-2018-1311) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in gencore affects AIX (CVE-2020-4887) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gencore-… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in Google Guava affects WebSphere Service Registry and Repository (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-g… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4969) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Rational Test Control Panel affected by Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-test-control-pan… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4958) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ XSA-360 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-360.html ∗∗∗ Drupal: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0081 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2021
by Daily end-of-shift report 20 Jan '21

20 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-01-2021 18:00 − Mittwoch 20-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Qakbot activity resumes after holiday break, (Wed, Jan 20th) ∗∗∗ --------------------------------------------- It had been relatively quiet for Qakbot until Tuesday 2021-01-19, when we started seeing malicious spam (malspam) pushing Qakbot again. --------------------------------------------- https://isc.sans.edu/diary/rss/27008 ∗∗∗ Google Poject Zero: The State of State Machines ∗∗∗ --------------------------------------------- On January 29, 2019, a serious vulnerability was discovered in Group FaceTime. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.… ∗∗∗ Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments ∗∗∗ --------------------------------------------- A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-target… ∗∗∗ Abuse.ch URLhaus als neue Datenquelle für unsere Aussendungen aufgenommen ∗∗∗ --------------------------------------------- Seit Mittwoch, 13. Jänner 2020 senden wir die Daten der URLhaus Feeds des abuse.ch-Projekts in unseren regelmäßigen Benachrichtigungen an Netzbetreiber aus. Die Feeds umfassen URLs, die Malwaredateien diverser Schadsoftwarefamilien hosten. --------------------------------------------- https://cert.at/de/blog/2021/1/abusech-urlhaus-als-neue-datenquelle-fur-uns… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 329 new security patches. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2021.html ∗∗∗ Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 ∗∗∗ --------------------------------------------- In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-harden… ∗∗∗ Cisco Security Advisories 2021-01-20 ∗∗∗ --------------------------------------------- 4 Critical, 9 High, 18 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Rechteausweitung: Kritische Lücke in älteren iOS- und macOS-Versionen ∗∗∗ --------------------------------------------- Der Bug in Apples XPC-Schnittstelle lässt sich ausnutzen, um erweiterte Rechte zu erlangen, warnt ein Sicherheitsforscher. --------------------------------------------- https://heise.de/-5030842 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (coturn, dovecot, glibc, and sudo), Mageia (openldap and resource-agents), openSUSE (dnsmasq, python-jupyter_notebook, viewvc, and vlc), Oracle (dnsmasq and xstream), SUSE (perl-Convert-ASN1, postgresql, postgresql13, and xstream), and Ubuntu (nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, pillow, pyxdg, and thunderbird). --------------------------------------------- https://lwn.net/Articles/843255/ ∗∗∗ Two Vulnerabilities in Bosch Fire Monitoring System (FSM) ∗∗∗ --------------------------------------------- BOSCH-SA-332072-BT: Two vulnerabilties have been discovered affecting the Bosch Fire Monitoring System (FSM-2500 and FSM-5000). The critical issue applies to FSM systems with versions 5.2 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-332072-bt.html ∗∗∗ Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Inconsistent Interpretation of HTTP Requests Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210120-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210120-… ∗∗∗ Intel Ethernet 700 Series Controllers vulnerabilities CVE-2020-8690, CVE-2020-8691, CVE-2020-8692, and CVE-2020-8693 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28563873 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0057 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2021
by Daily end-of-shift report 19 Jan '21

19 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-01-2021 18:00 − Dienstag 19-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Linux Devices Under Attack by New FreakOut Malware ∗∗∗ --------------------------------------------- The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks. --------------------------------------------- https://threatpost.com/linux-attack-freakout-malware/163137/ ∗∗∗ Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims networks—which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks. --------------------------------------------- https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html ∗∗∗ Jetzt neues Passwort vergeben! OpenWrt-Forum gehackt ∗∗∗ --------------------------------------------- Angreifer konnten auf Nutzerdaten des OpenWrt-Forums zugreifen. Dort tauschen sich Nutzer des alternativen Betriebssystems u.a. für Router aus. --------------------------------------------- https://heise.de/-5028697 ∗∗∗ Three Word Passwords ∗∗∗ --------------------------------------------- The National Cyber Security Centre (NCSC) have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords? --------------------------------------------- https://www.pentestpartners.com/security-blog/three-word-passwords/ ∗∗∗ All That for a Coinminer? ∗∗∗ --------------------------------------------- A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets ... --------------------------------------------- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/ ===================== = Vulnerabilities = ===================== ∗∗∗ DNSpooq: Mehrere Sicherheitslücken in Dnsmasq ∗∗∗ --------------------------------------------- Die IT-Sicherheitsfirma JSOF berichtet über mehrere Sicherheitslücken in der DNS-Serversoftware Dnsmasq, die sie DNSpooq genannt hat. Dabei handelt es sich um zwei zunächst völlig unterschiedliche Klassen von Problemen: Buffer Overflows in der Verarbeitung von DNSSEC-Records und einen unzureichenden Schutz vor DNS-Spoofing-Angriffen. ... Dnsmasq hat die entsprechenden Lücken in Version 2.83 geschlossen. Doch in vielen Fällen dürfte es schwer sein, Updates zu installieren. Dnsmasq wird sehr häufig in Embedded-Geräten und auch auf Android-Telefonen eingesetzt - also auf den Geräten, für die es häufig keine regelmäßigen Sicherheitsupdates gibt. Die Webseite von DNSpooq listet eine ganze Reihe von betroffenen Herstellern sowie deren Security-Advisories auf, die Liste dürfte aber unvollständig sein. --------------------------------------------- https://www.golem.de/news/dnspooq-mehrere-sicherheitsluecken-in-dnsmasq-210… ∗∗∗ Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Universal Plug and Play (UPnP) service and the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow a remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has not released software updates that address these vulnerabilities. There are no workarounds --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow). --------------------------------------------- https://lwn.net/Articles/843142/ ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Confluence ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0052 ∗∗∗ Philips Interventional Workstations ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01 ∗∗∗ Reolink P2P Cameras ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-019-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2021
by Daily end-of-shift report 18 Jan '21

18 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-01-2021 18:00 − Montag 18-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Antivirus: Das Jahr der unsicheren Sicherheitssoftware ∗∗∗ --------------------------------------------- Sicherheitssoftware soll uns eigentlich schützen, doch das vergangene Jahr hat erneut gezeigt: Statt Schutz gibt es Sicherheitsprobleme frei Haus. --------------------------------------------- https://www.golem.de/news/antivirus-das-jahr-der-unsicheren-sicherheitssoft… ∗∗∗ Medical Device Security: Diagnosis Critical ∗∗∗ --------------------------------------------- Medical-device security has long been a challenge, suffering the same uphill management battle that the entire sprawling mess of IoT gadgets has faced. --------------------------------------------- https://threatpost.com/medical-device-security/163127/ ∗∗∗ Obfuscated DNS Queries, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- This week I started seeing some URL with /dns-query?dns in my honeypot. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve. --------------------------------------------- https://isc.sans.edu/diary/rss/26992 ∗∗∗ New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th) ∗∗∗ --------------------------------------------- Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity. --------------------------------------------- https://isc.sans.edu/diary/rss/26994 ∗∗∗ Doc & RTF Malicious Document, (Mon, Jan 18th) ∗∗∗ --------------------------------------------- A reader pointed us to a malicious Word document. --------------------------------------------- https://isc.sans.edu/diary/rss/26996 ∗∗∗ NSA Releases Guidance on Encrypted DNS in Enterprise Environments ∗∗∗ --------------------------------------------- Original release date: January 15, 2021The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/nsa-releases-guid… ∗∗∗ Skimming: Schaden durch Datenklau an Geldautomaten auf Rekordtief ∗∗∗ --------------------------------------------- Experten halten den Datenklau an Geldautomaten in Deutschland für ein Auslaufmodell. Sowohl Zahl der Angriffe als auch Schäden sanken 2020 auf Rekordtief. --------------------------------------------- https://heise.de/-5026975 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-072: NETGEAR R7450 SOAP API RecoverAdminPassword Improper Access Control Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-072/ ∗∗∗ ZDI-21-071: NETGEAR R7450 Password Recovery External Control of Critical State Data Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-071/ ∗∗∗ ZDI-21-070: Apple macOS CoreGraphics Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-070/ ∗∗∗ ZDI-21-069: Apple macOS process_token_BlitLibSetup2D Out-Of-Bounds Write Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-069/ ∗∗∗ Kritische Admin-Lücke in Wordpress-Plug-in Orbit Fox ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das Wordpress-Plug-in Orbit Fox. --------------------------------------------- https://heise.de/-5027252 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flatpak, ruby-redcarpet, and wavpack), Fedora (dia, mingw-openjpeg2, and openjpeg2), Mageia (awstats, bison, cairo, kernel, kernel-linus, krb5, nvidia-current, nvidia390, php, and thunderbird), openSUSE (cobbler, firefox, kernel, libzypp, zypper, nodejs10, nodejs12, and nodejs14), Scientific Linux (thunderbird), Slackware (wavpack), SUSE (kernel, nodejs8, open-iscsi, openldap2, php7, php72, php74, slurm_20_02, and thunderbird), and Ubuntu (ampache,[...] --------------------------------------------- https://lwn.net/Articles/842834/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit,[...] --------------------------------------------- https://lwn.net/Articles/843054/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11 (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Websphere Hibernate Validator Vulnerability Affects IBM Control Center (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-hibernate-valid… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: Apache ActiveMQ Vulnerability Affects IBM Control Center (CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-activemq-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2021
by Daily end-of-shift report 15 Jan '21

15 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-01-2021 18:00 − Freitag 15-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ErpresserInnen kennen Ihre persönlichen Daten? Nicht einschüchtern lassen! ∗∗∗ --------------------------------------------- Immer wieder werden uns erpresserische E-Mails gemeldet, in denen persönliche Daten der Betroffenen genannt werden. Aktuell ist eine Erpressungsmail im Umlauf, in der die Kriminellen vorgeben einiges über die EmpfängerInnen zu wissen. Als Beweis geben sie die Adresse und die Telefonnummer an. Auch wenn dieses Wissen verunsichert, sollten Sie sich nicht einschüchtern lassen und die Forderungen der ErpresserInnen ignorieren. --------------------------------------------- https://www.watchlist-internet.at/news/erpresserinnen-kennen-ihre-persoenli… ∗∗∗ Hunting for Bugs in Windows Mini-Filter Drivers ∗∗∗ --------------------------------------------- In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers (CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17139). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I’ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-… ∗∗∗ Cyber Security advice for Finance staff ∗∗∗ --------------------------------------------- Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and finance training and education. When I [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-advice-for-fin… ∗∗∗ Throwback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26990 ===================== = Vulnerabilities = ===================== ∗∗∗ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 ∗∗∗ --------------------------------------------- Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/01/14/netlogon-domain-controller-e… ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/apache-releases-s… ∗∗∗ ZDI-21-068: Panasonic Control FPWIN Pro Project File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panasonic Control FPWIN Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-068/ ∗∗∗ Mitsubishi Electric Factory Automation Products Path Traversal (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-20-212-03 Mitsubishi Electric Factory Automation Products Path Traversal that was published July 30, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Path Traversal vulnerability in Mitsubishi Electric Factory Automation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-03 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update A) that was published November 5, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Unquoted Search Path or Element vulnerability in Mitsubishi Electric Factory Automation Engineering products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Malicious file upload and download could affect Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-malicious-file-upload-and… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerability in Google Web Toolkit may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2012-5920 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2021
by Daily end-of-shift report 14 Jan '21

14 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-01-2021 18:00 − Donnerstag 14-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Big Sur: Apple erlaubt wieder Firewall-Filter für Systemdienste ∗∗∗ --------------------------------------------- In aktuellen MacOS-Versionen hatte Apple seine Systemdienste von Firewall-Regeln ausgenommen. Eine Betaversion macht das nun rückgängig. --------------------------------------------- https://www.golem.de/news/big-sur-apple-erlaubt-wieder-firewall-filter-fuer… ∗∗∗ Sysdig beobachtet einen Shift Left bei Container Security ∗∗∗ --------------------------------------------- Während Docker als Container Runtime an Bedeutung verliert, scannen immer mehr Anwender ihre Images schon früh im Build-Prozess ihrer CI/CD-Pipelines. --------------------------------------------- https://heise.de/-5024624 ∗∗∗ Cisco says it wont patch 74 security bugs in older RV routers that reached EOL ∗∗∗ --------------------------------------------- Cisco advises RV110W, RV130, RV130W, and RV215W device owners to migrate to newer gear. --------------------------------------------- https://www.zdnet.com/article/cisco-says-it-wont-patch-74-security-bugs-in-… ∗∗∗ Telegram-based phishing service Classiscam hits European marketplaces ∗∗∗ --------------------------------------------- Dozens of cybercriminal gangs are publishing fake ads on popular online marketplaces to lure interested users to fraudulent merchant sites or to phishing pages that steal payment data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-based-phishing-serv… ∗∗∗ Windows 10 bug corrupts your hard drive on seeing this files icon ∗∗∗ --------------------------------------------- An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your… ∗∗∗ Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th) ∗∗∗ --------------------------------------------- Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros. --------------------------------------------- https://isc.sans.edu/diary/rss/26986 ∗∗∗ Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments ∗∗∗ --------------------------------------------- CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices. In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/13/attackers-exploit… ∗∗∗ Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife ∗∗∗ --------------------------------------------- This time we decided to dissect and share intelligence information about another piece of the TH-239 arsenal: a tiny and mysterious tool dubbed “STEELCORGI” on FireEye research. This tool was heavily protected using a novel technique able to make things really difficult to any DFIR Team tackling with TH-239 intrusion, but it’s contents reveal huge surprises and unattended capabilities. --------------------------------------------- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss… ∗∗∗ A Global Perspective of the SideWinder APT ∗∗∗ --------------------------------------------- AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Office January security updates fix remote code execution bugs ∗∗∗ --------------------------------------------- Microsoft addresses important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates released during this months Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-january-security-upda… ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/juniper-networks-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar). --------------------------------------------- https://lwn.net/Articles/842673/ ∗∗∗ Pepperl+Fuchs IO-Link Master Series 1.36 CSRF / XSS / Command Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021010110 ∗∗∗ OpenSSL vulnerability CVE-2020-1971 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42910051 ∗∗∗ Red Hat Decision Manager: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0037 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-… ∗∗∗ Security Advisory - Insufficient Integrity Check Vulnerability in Huawei Sound X Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-… ∗∗∗ Security Advisory - Logic Vulnerability in Huawei Gauss100 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-… ∗∗∗ Security Bulletin: Vulnerability in Python affects IBM Spectrum Protect Plus Microsoft File Systems Agent (CVE-2020-26116) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-a… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data – GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2020-25696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7769) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-15358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2015-9381, CVE-2015-9382) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway has security vulnerabilities (CVE-2019-2044, CVE-2019-2045) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterp… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-11745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM API Connect V5 Developer Portal is vulnerable to cross-site scripting (CVE-2020-4838) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-develo… ∗∗∗ Security Bulletin: CVE-2020-2601 may affect IBM® SDK, Java™ Technology Edition, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-may-affect-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2021
by Daily end-of-shift report 13 Jan '21

13 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-01-2021 18:00 − Mittwoch 13-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers steal Mimecast certificate used to encrypt customers’ M365 traffic ∗∗∗ --------------------------------------------- Compromise by "sophisticated threat actor" prompts company to issue new certificate. --------------------------------------------- https://arstechnica.com/?p=1734653 ∗∗∗ MegaCortex Ransomware: The Cyber-Threat Looming Over Corporate Networks ∗∗∗ --------------------------------------------- Cybercriminals only want one thing these days, and that thing is substantial payouts. This is why most hackers focus on big game hunting, directing the vast majority of their efforts towards company networks rather than individual home users. --------------------------------------------- https://heimdalsecurity.com/blog/megacortex-ransomware/ ∗∗∗ Hancitor activity resumes after a hoilday break, (Wed, Jan 13th) ∗∗∗ --------------------------------------------- Campaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet after 2020-12-17. On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor again. --------------------------------------------- https://isc.sans.edu/diary/rss/26980 ∗∗∗ Obfuscation Techniques in Ransomweb “Ransomware” ∗∗∗ --------------------------------------------- As vital assets for many business operations, websites and their hosting servers are often the target of ransomware attacks — and if they get taken offline, this can cause major issues for a business’ data, revenue, and ultimately reputation. --------------------------------------------- https://blog.sucuri.net/2021/01/obfuscation-techniques-in-ransomweb-ransomw… ∗∗∗ A Rare Look Inside a Cryptojacking Campaign and its Profit ∗∗∗ --------------------------------------------- This post details an ongoing cryptojacking campaign targeting Linux machines, using exposed Docker API ports as an initial access vector to a victim’s machine. The attacker then installs a Golang binary, which is undetected in VirusTotal at the time of this writing. --------------------------------------------- https://www.intezer.com/blog/research/a-rare-look-inside-a-cryptojacking-ca… ∗∗∗ Ubiquiti breach, and other IoT security problems ∗∗∗ --------------------------------------------- Ubiquiti informed its customers about unauthorized access to its online customer portal. Heres what you need to know. --------------------------------------------- https://blog.malwarebytes.com/iot/2021/01/ubiquiti-breach-and-other-iot-sec… ∗∗∗ Rogue Android RAT Can Take Control of Devices, Steal Data ∗∗∗ --------------------------------------------- A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a trove of user data, Check Point security researchers warn. --------------------------------------------- https://www.securityweek.com/rogue-android-rat-can-take-control-devices-ste… ∗∗∗ Google reveals sophisticated Windows and Android hacking operation ∗∗∗ --------------------------------------------- The attackers used a combination of Android, Chrome, and Windows vulnerabilities, including both zero-days and n-days exploits. --------------------------------------------- https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-… ∗∗∗ Vorsicht vor gefälschten Rechnungen von Austria IT, Vicca Security & Online Service Support ∗∗∗ --------------------------------------------- Derzeit werden uns gehäuft betrügerische E-Mails mit gefälschten Rechnungen von „Austria IT“, „Vicca Security“ und „Online Service Support“ gemeldet. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rechnungen… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day ∗∗∗ --------------------------------------------- With the January 2021 Patch Tuesday security updates release, Microsoft has released fixes for 83 vulnerabilities, with ten classified as Critical and 73 as Important. There is also one zero-day and one previously disclosed vulnerabilities fixed as part of the January 2021 updates. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2021-patc… ∗∗∗ Microsoft fixes Secure Boot bug allowing Windows rootkit installation ∗∗∗ --------------------------------------------- Microsoft has fixed a security feature bypass vulnerability in Secure Boot that allows attackers to compromise the operating systems booting process even when Secure Boot is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-secure-boot-… ∗∗∗ Cisco Security Advisories 2021-01-13 ∗∗∗ --------------------------------------------- 0 Critical, 4 High, 19 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke in Thunderbird ∗∗∗ --------------------------------------------- Mozilla hat seinen Mail-Client abgesichert. Nutzer sollten schnell updaten. --------------------------------------------- https://heise.de/-5022816 ∗∗∗ Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin ∗∗∗ --------------------------------------------- On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/01/multiple-vulnerabilities-patched-in-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn). --------------------------------------------- https://lwn.net/Articles/842557/ ∗∗∗ The installer of SKYSEA Client View may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN69635538/ ∗∗∗ Security Bulletin: CVE-2020-1968 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1968-vulnerabili… ∗∗∗ Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service ∗∗∗ --------------------------------------------- https://medium.com/@bridge_004/local-privilege-escalation-in-vmware-vrealiz… ∗∗∗ SOOIL Dana Diabecare RS Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01 ∗∗∗ Schneider Electric EcoStruxure Power Build-Rapsody ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2021
by Daily end-of-shift report 12 Jan '21

12 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 11-01-2021 18:00 − Dienstag 12-01-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gefälschte Kundeninformation im Namen der bank99 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche BankkundInnen werden aktuell angeblich von der bank99 per E-Mail aufgefordert, eine App herunterzuladen. Bei Nichtdurchführung droht angeblich eine Bearbeitungsgebühr. Vorsicht: Bei diesem E-Mail handelt es sich um Betrug. Kriminelle geben sich als bank99 aus und versuchen mit dieser E-Mail an Ihre Bankdaten zu kommen. Verschieben Sie es in Ihren Spam-Ordner! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-kundeninformation-im-nam… ∗∗∗ Mac malware uses run-only AppleScripts to evade analysis ∗∗∗ --------------------------------------------- A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mac-malware-uses-run-only-ap… ∗∗∗ Microsoft Sysmon now detects malware process tampering attempts ∗∗∗ --------------------------------------------- Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detect… ∗∗∗ Protecting Against Supply Chain Attacks by Profiling Suppliers ∗∗∗ --------------------------------------------- Learn how to better spot supply chain attacks targeting your organization. This blog outlines how defenders can use the techniques and tools they already use to profile suppliers and get ahead of potential threats. --------------------------------------------- https://www.domaintools.com/resources/blog/protecting-against-supply-chain-… ∗∗∗ Stealing Your Private YouTube Videos, One Frame at a Time ∗∗∗ --------------------------------------------- * In the real world you would have to know the ID of the target video. Mass-leaking those would be considered a bug on its own. * Since these are just images, you can’t access audio. * The resolution is very low. (but it’s high enough to see what is happening) --------------------------------------------- https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one… ∗∗∗ Ubiquiti: Change Your Password, Enable 2FA ∗∗∗ --------------------------------------------- Ubiquiti, a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. The company says an incident at a third-party cloud provider may have exposed customer account information and credentials used to remotely manage Ubiquiti gear. --------------------------------------------- https://krebsonsecurity.com/2021/01/ubiquiti-change-your-password-enable-2f… ∗∗∗ CES 2021: Intel adds ransomware detection capabilities at the silicon level ∗∗∗ --------------------------------------------- Intel 11th Gen Intel Core vPro CPUs with support for the Hardware Shield and TDT features will be able to detect ransomware attacks at the hardware level, many layers below antivirus software. --------------------------------------------- https://www.zdnet.com/article/ces-2021-intel-adds-ransomware-detection-capa… ∗∗∗ Third malware strain discovered in SolarWinds supply chain attack ∗∗∗ --------------------------------------------- CrowdStrike, one of the two security firms formally investigating the hack, sheds some light on how hackers compromised the SolarWinds Orion app build process. --------------------------------------------- https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Photoshop (APSB21-01), Adobe Illustrator (APSB21-02), Adobe Animate (APSB21-03), Adobe Campaign Classic (APSB21-04), Adobe InCopy (APSB21-05), Adobe Captivate (APSB21-06) and Adobe Bridge (APSB21-07). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1960 ∗∗∗ Microsoft Releases Security Updates for Edge ∗∗∗ --------------------------------------------- Microsoft has released a security update to address multiple vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/11/microsoft-release… ∗∗∗ SAP Releases January 2021 Security Updates ∗∗∗ --------------------------------------------- SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the SAP Security Notes for January 2021 and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/12/sap-releases-janu… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device. The vulnerability is due to insufficient restrictions on the allowed Lua function calls within the context of user-supplied Lua scripts. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-139628 V1.0: Vulnerabilities in Web Server for Scalance X Products ∗∗∗ --------------------------------------------- Several SCALANCE X switches contain vulnerabilities in the web server of the affected devices.An unauthenticated attacker could reboot, cause denial-of-service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities.Siemens has released updates for several affected products and recommends to update to the latest version(s). Siemens recommends countermeasures where fixes are not currently available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-139628.txt ∗∗∗ SSA-274900 V1.0: Use of hardcoded key in Scalance X devices under certain conditions ∗∗∗ --------------------------------------------- Scalance X devices might not generate a unique random key after factory reset, and use a private key shipped with the firmwareSiemens has released updates for some devices, is working on updates for the remaining affected products and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-274900.txt ∗∗∗ SSA-622830 V1.0: Multiple Vulnerabilities in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions. Siemens is also preparing further updates and recommends specific countermeasures until remaining fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-622830.txt ∗∗∗ SSA-979834 V1.0: Multiple vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979834.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (chromium), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), Slackware (sudo), SUSE (firefox, nodejs10, nodejs12, and nodejs14), and Ubuntu (apt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-hwe-5.8, linux-oem-5.6, linux-oracle, linux-oracle-5.4, nvidia-graphics-drivers-390, nvidia-graphics-drivers-450, nvidia-graphics-drivers-460, python-apt, and [...] --------------------------------------------- https://lwn.net/Articles/842382/ ∗∗∗ [20210103] - Core - XSS in com_tags image parameters ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/838-20210103-core-xss-in-c… ∗∗∗ [20210102] - Core - XSS in mod_breadcrumbs aria-label attribute ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/837-20210102-core-xss-in-m… ∗∗∗ [20210101] - Core - com_modules exposes module names ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/836-20210101-core-com-modu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2021
by Daily end-of-shift report 11 Jan '21

11 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-01-2021 18:00 − Montag 11-01-2021 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bitcoin-Höhenflug spielt betrügerischen Plattformen in die Karten ∗∗∗ --------------------------------------------- Der neuerliche Höhenflug des Bitcoins sorgt für großes mediales Interesse und laufende Berichterstattung. Diese Aufmerksamkeit nützen auch Kriminelle aus. Sie bewerben betrügerische Investitionsplattformen mit erfundenen News-Beiträgen. Vorsicht: Wer in solche Plattformen investiert, verliert das Geld! Schadenssummen in Höhe mehrerer hundertausend Euro sind keine Seltenheit. --------------------------------------------- https://www.watchlist-internet.at/news/bitcoin-hoehenflug-spielt-betruegeri… ∗∗∗ New version of Sysinternals released, Process Hollowing detection added in Sysmon, new registry access detection added to Procmon https://docs.microsoft.com/en-us/sysinternals/, (Mon, Jan 11th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26972 ∗∗∗ Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th) ∗∗∗ --------------------------------------------- Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+U… and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+U…), for any client I typically create 4 inventories: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26974 ∗∗∗ Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments ∗∗∗ --------------------------------------------- This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-008a ∗∗∗ How I stole the data in millions of people’s Google accounts ∗∗∗ --------------------------------------------- As many of you may have suspected, this post is not entirely truthful. I have not released this fitness app onto the Play Store, nor have I collected millions of master tokens. ... But yes, these methods do work. I absolutely could release such an app, and so could anyone else (and maybe they have). --------------------------------------------- https://ethanblake4.medium.com/how-i-stole-the-data-in-millions-of-peoples-… ∗∗∗ Free decrypter released for victims of Darkside ransomware ∗∗∗ --------------------------------------------- A new tool released today by Romanian security firm Bitdefender allows victims of the Darkside ransomware to recover their files without paying the ransom demand. --------------------------------------------- https://www.zdnet.com/article/free-decrypter-released-for-victims-of-darksi… ∗∗∗ Trickbot Still Alive and Well ∗∗∗ --------------------------------------------- In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read MoreThe post Trickbot Still Alive and Well appeared first on The DFIR Report. --------------------------------------------- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ ∗∗∗ Shodan Verified Vulns 2020-12-01 ∗∗∗ --------------------------------------------- Auch im Dezember wollen wir einen Blick auf Schwachstellen werfen, die Shodan in Österreich sieht. Die folgende Grafik basiert auf den Daten vom 2020-12-01: Die Daten zeigen abermals kaum Veränderungen zu den Vormonaten: der Rückgang der SSL-Schwachstellen setzt sich grundsätzlich fort, auch wenn die Änderungen erstmals seit wir die Daten erheben (also seit 2020-09) nur im zweistelligen Bereich sind. Einen Überblick über die bisherige Entwicklung bietet der [...] --------------------------------------------- https://cert.at/de/aktuelles/2020/12/shodan-verified-vulns-2020-12 ===================== = Vulnerabilities = ===================== ∗∗∗ Typeform fixes Zendesk Sell form data hijacking vulnerability ∗∗∗ --------------------------------------------- Online survey and form creator Typeform has quietly patched a data hijacking vulnerability in its Zendesk Sell integration. If exploited, the vulnerability could let attacks redirect the form submissions containing potentially sensitive information to themselves. --------------------------------------------- https://www.bleepingcomputer.com/news/security/typeform-fixes-zendesk-sell-… ∗∗∗ QNAP: Command Injection Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- CVE identifier: CVE-2020-2508 Affected products: All QNAP NAS Summary: A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. --------------------------------------------- https://www.qnap.com/de-de/security-advisory/QSA-21-01 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, and mbedtls), Debian (coturn), Fedora (firefox, flac, and nodejs), Gentoo (ark, chromium, dovecot, firefox, firejail, ipmitool, nodejs, and pillow), Mageia (alpine, c-client, binutils, busybox, cherokee, firefox, golang, guava, imagemagick, libass, openexr, squirrelmail, tomcat, and xrdp), openSUSE (chromium, cobbler, rpmlint, and tomcat), Oracle (kernel), Red Hat (firefox, libpq, and openssl), SUSE (python-defusedxml, [...] --------------------------------------------- https://lwn.net/Articles/842304/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An Eclipse Jetty Vulnerability Affects IBM Sterling Secure External Authentication Server (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Sterling Secure Proxy (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM DataPower Gateway Java security update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-jav… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4869) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Sterling Secure Proxy (CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2021
by Daily end-of-shift report 08 Jan '21

08 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-01-2021 18:00 − Freitag 08-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zwei-Faktor-Authentifizierung: Strahlung verrät Schlüssel von Googles Titan-Token ∗∗∗ --------------------------------------------- Der privaten Schlüssel eines Hardware-Sicherheitstokens von Google lässt sich anhand der Strahlung rekonstruieren. --------------------------------------------- https://www.golem.de/news/zwei-faktor-authentifizierung-strahlung-verraet-s… ∗∗∗ Using the NIST Database and API to Keep Up with Vulnerabilities and Patches - Playing with Code (Part 2 of 3), (Fri, Jan 8th) ∗∗∗ --------------------------------------------- Building on yesterday's story - now that we have an inventory built in CPE format, let's take an example CVE from that and write some code. What's in the NVD database (and API) that you can access, then use in your organization? --------------------------------------------- https://isc.sans.edu/diary/rss/26964 ∗∗∗ Evaluating Cookies to Hide Backdoors ∗∗∗ --------------------------------------------- Identifying website backdoors is not always an easy task. Since a backdoors primary function is to conceal itself while providing unauthorized access, they are often developed using a variety of techniques that can make it challenging to detect. For example, an attacker can inject a single line of code containing less than 130 characters into a website file. While this may not seem like a lot of code, this short string can be used to load PHP web shells on your website [...] --------------------------------------------- https://blog.sucuri.net/2021/01/evaluating-cookies-to-hide-backdoors.html ∗∗∗ Achtung bei der Schnäppchenjagd: Fake-Shop mydealz.live lockt mit Technik-Restposten ∗∗∗ --------------------------------------------- Schnäppchen-JägerInnen aufgepasst: Auf mydealz.live gibt es statt günstigen Angeboten nur teure Abzocke. Viele KonsumentInnen stoßen derzeit auf diese Webseite, da Sie glauben auf der Plattform mydealz.de zu sein. Doch tatsächlich handelt es sich bei mydealz.live um einen Fake-Shop, der günstige Technik-Restposten verspricht, aber nicht liefert. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bei-der-schnaeppchenjagd-fak… ∗∗∗ A crypto-mining botnet is now stealing Docker and AWS credentials ∗∗∗ --------------------------------------------- After if began stealing AWS credentials last summer, the TeamTNT botnet is now also stealing Docker API logins, making the use of firewalls mandatory for all internet-exposed Docker interfaces. --------------------------------------------- https://www.zdnet.com/article/a-crypto-mining-botnet-is-now-stealing-docker… ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws ∗∗∗ --------------------------------------------- In all, Nvidia patched flaws tied to 16 CVEs across its graphics drivers and vGPU software, in its first security update of 2021. --------------------------------------------- https://threatpost.com/nvidia-windows-gamers-graphics-driver-flaws/162857/ ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Frühwarnsystem FortiDeceptor möglich ∗∗∗ --------------------------------------------- Fortinet hat wichtige Sicherheitspatches für FortiDeceptor, FortiWeb und FortiGate SSL VPN veröffentlicht. --------------------------------------------- https://heise.de/-5018396 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/842093/ ∗∗∗ Innokas Yhtymä Oy Vital Signs Monitor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, and Improper Neutralization of Special Elements in Output Used by a Downstream Component vulnerabilities in the Innokas Yhtymä Oy Vital Signs Monitor. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01 ∗∗∗ Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in the Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer device. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-01 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Stack-based Buffer Overflow, and Type Confusion vulnerabilities in Omrons CX-One automation software suite. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02 ∗∗∗ Eaton EASYsoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Type Confusion, and Out-of-bounds Read vulnerabilities in Eatons EASYsoft controller software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Write, Out-of-bounds Read, Untrusted Pointer Dereference, and Type Confusion vulnerabilities in the Delta Electronics CNCSoft-B software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-04 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2021
by Daily end-of-shift report 07 Jan '21

07 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-01-2021 18:00 − Donnerstag 07-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ l+f: Security-Albtraum SMB im Browser ∗∗∗ --------------------------------------------- Security-Puristen warnten schon lange vor Techniken wie Webassembly und Websockets. Jetzt zeigt ein Hacker, was damit alles geht. --------------------------------------------- https://heise.de/-5005070 ∗∗∗ PayPal‑Nutzer sind Ziel einer neuen SMS‑Phishing‑Kampagne ∗∗∗ --------------------------------------------- Der Betrug beginnt mit einer SMS, die Nutzer vor verdächtigen Aktivitäten auf ihren Konten warnt. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/01/06/paypal-nutzer-sind-ziel-e… ∗∗∗ Phishing-Nachrichten auf Facebook im Umlauf! ∗∗∗ --------------------------------------------- Derzeit verschicken Kriminelle Nachrichten über den Facebook-Messenger. Darin befindet sich ein Link, der vorgibt zum Werbemanager von Facebook weiterzuleiten. Tatsächlich handelt es sich jedoch, um eine nachgeahmte und betrügerische Seite. Die Kriminellen hoffen darauf, dass Sie Ihre Daten eingeben und so Zugang zu Ihrem Facebook-Konto und zu Ihren Kreditkartendaten erhalten! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-nachrichten-auf-facebook-im… ∗∗∗ Malware using new Ezuri memory loader ∗∗∗ --------------------------------------------- Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-m… ∗∗∗ Babuk Locker is the first new enterprise ransomware of 2021 ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-ne… ∗∗∗ FBI warns of Egregor ransomware extorting businesses worldwide ∗∗∗ --------------------------------------------- The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-egregor-ransomw… ∗∗∗ Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident ∗∗∗ --------------------------------------------- DomainTools researchers recently learned of a ransomware campaign targeting multiple entities. The incident highlighted several methods of network and malware analysis that can be used to gain a greater understanding of individual campaigns. --------------------------------------------- https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-rans… ∗∗∗ NSA Urges SysAdmins to Replace Obsolete TLS Protocols ∗∗∗ --------------------------------------------- The NSA released new guidance providing system administrators with the tools to update outdated TLS protocols. --------------------------------------------- https://threatpost.com/nsa-urges-sysadmins-to-replace-obsolete-tls-protocol… ∗∗∗ Bogus CSS Injection Leads to Stolen Credit Card Details ∗∗∗ --------------------------------------------- A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation. Malware in Database Tables As is pretty common with Magento credit card swiper investigations, my initial scans came up clean. Attackers are writing new pieces of malware like it’s going out of style, so there are very frequently new [...] --------------------------------------------- https://blog.sucuri.net/2021/01/bogus-css-injection-leads-to-stolen-credit-… ∗∗∗ A Deep Dive into Lokibot Infection Chain ∗∗∗ --------------------------------------------- Lokibot is one of the most well-known information stealers on the malware landscape. In this post, well provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the droppers third stage. --------------------------------------------- https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infecti… ∗∗∗ TA551: Email Attack Campaign Switches from Valak to IcedID ∗∗∗ --------------------------------------------- We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware. --------------------------------------------- https://unit42.paloaltonetworks.com/ta551-shathak-icedid/ ∗∗∗ Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 ∗∗∗ --------------------------------------------- Security firm Recorded Future said it tracked more than 10,000 malware command and control servers last year, used across more than 80 malware families. --------------------------------------------- https://www.zdnet.com/article/cobalt-strike-and-metasploit-accounted-for-a-… ∗∗∗ A DoppelPaymer Ransomware Overview ∗∗∗ --------------------------------------------- Believed to be based on the BitPaymer ransomware, the DoppelPaymer ransomware emerged in 2019. Since then it has been used in number of high profile attacks. Trend Micro Research has published an overview of the DoppelPaymer ransomware. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/7c157bb8989d76730fed733016c… ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Sicherheitslücken in Office-Anwendung TextMaker ∗∗∗ --------------------------------------------- Angreifer könnten TextMaker-Nutzer attackieren. Die Gefahrenstufe gilt als hoch. --------------------------------------------- https://heise.de/-5005181 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Genivia gSOAP ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in various Genivia gSOAP toolkit plugins. These vulnerabilities could allow an attacker to carry out a variety of malicious activities, including causing a denial of service on the victim machine or gaining the ability to execute arbitrary code. The gSOAP toolkit is a C/C++ library for developing XML-based web services. --------------------------------------------- https://blog.talosintelligence.com/2021/01/vuln-spotlight-genivia-gsoap-.ht… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cairo, dovecot, and minidlna), Oracle (ImageMagick), Scientific Linux (ImageMagick), SUSE (clamav, dovecot23, java-1_8_0-ibm, and tomcat), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, [...] --------------------------------------------- https://lwn.net/Articles/841873/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit). --------------------------------------------- https://lwn.net/Articles/841977/ ∗∗∗ Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks ∗∗∗ --------------------------------------------- Several potentially serious vulnerabilities discovered in Fortinet’s FortiWeb web application firewall (WAF) could expose corporate networks to attacks, according to the researcher who found them. --------------------------------------------- https://www.securityweek.com/vulnerabilities-fortinet-waf-can-expose-corpor… ∗∗∗ ICS-CERT Security Advisories - January 5th, 2021 ∗∗∗ --------------------------------------------- ICS-CERT has released six security advisories addressing vulnerabilities in ICS-related devices and software. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/f9e8dce556fb93fa97530e3e1dd… ∗∗∗ Security Bulletin: Spectrum Discover has addressed multiple security vulnerabilities (CVE-2020-13401, CVE-2019-20372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-spectrum-discover-has-add… ∗∗∗ Security Bulletin: Stored Cross-Site Scripting Vulnerability Affects IBM Emptoris Sourcing (CVE-2020-4895) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stored-cross-site-scripti… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.12 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-to-ibp-v2-5-1-to-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Communication between burst buffer processes not properly secured ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-communication-between-bur… ∗∗∗ Security Bulletin: Lucky 13 Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2020-4898) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-vulnerability-af… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU minus CVE-2020-14782 affects Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects IBM Emptoris Spend Analysis (CVE-2020-4897) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2021
by Daily end-of-shift report 05 Jan '21

05 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 04-01-2021 18:00 − Dienstag 05-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ WLAN: Schadsoftware prüft den Standort via Wi-Fi ∗∗∗ --------------------------------------------- Es ist nicht ungewöhnlich, dass eine Malware den Standort des infizierten Rechners überprüft. Dazu wurde bisher jedoch meist die IP-Adresse verwendet. --------------------------------------------- https://www.golem.de/news/wlan-schadsoftware-prueft-den-standort-via-wi-fi-… ∗∗∗ Medizin-IT: BSI-Studie bescheinigt schlechtes Security-Niveau ∗∗∗ --------------------------------------------- Viele Schwachstellen fand das BSI in seinen neuen Studien zur IT-Sicherheit in der Medizin. Penetrationstests oder Sicherheitsevaluierungen fehlten völlig. --------------------------------------------- https://heise.de/-5004126 ∗∗∗ Vorsicht vor WOTOBA.de! ∗∗∗ --------------------------------------------- Das Shoppen online boomt. Doch Vorsicht ist geboten! Viele Angebote online sind zu gut, um wahr zu sein – auch WOTOBA.de. Der Shop wirbt mit heißen Preisen, günstigen Angeboten und großen Rabatten. Kommt die qualitativ minderwertige Bestellung an, dann mit großer Verspätung und womöglich einer Rechnung vom Zollamt. Oft wird die bestellte und bezahlte Ware jedoch nie geliefert. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-wotobade/ ∗∗∗ Cryptocurrency stealer for Windows, macOS, and Linux went undetected for a year ∗∗∗ --------------------------------------------- ElectroRAT was written from scratch and was likely installed by thousands. --------------------------------------------- https://arstechnica.com/?p=1732897 ∗∗∗ Ryuk ransomware is the top threat for the healthcare sector ∗∗∗ --------------------------------------------- Healthcare organizations continue to be a prime target for cyberattacks of all kinds, with ransomware incidents, Ryuk in particular, being more prevalent. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-is-the-top-t… ∗∗∗ Netfox Detective: An Alternative Open-Source Packet Analysis Tool , (Tue, Jan 5th) ∗∗∗ --------------------------------------------- [This is a guest diary by Yee Ching Tok (personal website here (https://poppopretn.com)). Feedback welcome either via comments or our contact page (https://isc.sans.edu/contact.html)] --------------------------------------------- https://isc.sans.edu/diary/rss/26950 ∗∗∗ Hackers Exploiting Recently Disclosed Zyxel Vulnerability ∗∗∗ --------------------------------------------- Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials. --------------------------------------------- https://www.securityweek.com/hackers-start-exploiting-recently-disclosed-zy… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Android unter anderem gegen Remote Code Execution abgesichert ∗∗∗ --------------------------------------------- Die neuesten Sicherheitsupdates für Googles mobiles Betriebssystem Android fixen neben vier kritischen Lücken noch zahlreiche weitere Sicherheitsprobleme. --------------------------------------------- https://heise.de/-5003473 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, poppler, roundcubemail, and rsync), Debian (csync2 and gssproxy), Fedora (grafana, perl-Convert-ASN1, and python-py), openSUSE (privoxy), Oracle (kernel), Red Hat (ImageMagick and kernel), SUSE (ceph, dovecot22, flac, java-1_7_1-ibm, openssh, and python), and Ubuntu (dovecot, horizon, openexr, and python-apt). --------------------------------------------- https://lwn.net/Articles/841792/ ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2021
by Daily end-of-shift report 04 Jan '21

04 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-12-2020 18:00 − Montag 04-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Citrix adds NetScaler ADC setting to block recent DDoS attacks ∗∗∗ --------------------------------------------- Citrix has released a feature enhancement designed to block attackers from using the Datagram Transport Layer Security (DTLS) feature of NetScaler ADC devices as an amplification vector in DDoS attacks. [...] https://support.citrix.com/article/CTX289674 --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-adds-netscaler-adc-se… ∗∗∗ Malware: Wurm macht Windows- und Linux-Server zu Monero-Minern ∗∗∗ --------------------------------------------- Die Schadsoftware nutzt offene Ports von Diensten wie MySQL aus und setzt darauf, dass sie mit schwachen Passwörtern gesichert sind. --------------------------------------------- https://www.golem.de/news/malware-wurm-macht-windows-und-linux-server-zu-mo… ∗∗∗ From a small BAT file to Mass Logger infostealer, (Mon, Jan 4th) ∗∗∗ --------------------------------------------- Since another year went by, Ive decided to once again check all of the malicious files, which were caught in my e-mail quarantine during its course. Last year, when I went through the batch of files from 2019, I found couple of very large samples[1] and I wanted to see whether Iɽ find something similar in the 2020 batch. --------------------------------------------- https://isc.sans.edu/diary/rss/26946 ∗∗∗ Cyber-Attacke über SolarWinds: Angreifer hatten Zugriff auf Microsoft-Quellcode ∗∗∗ --------------------------------------------- Microsoft hat eingeräumt, dass die Angreifer im Fall SolarWinds sehr tief in die konzerninternen Netzwerke eingedrungen und bis zum Quellcode gelangt sind. --------------------------------------------- https://heise.de/-5001678 ∗∗∗ IntelOwl 2.0: Freies Tool für Threat-Intelligence-Analysen ∗∗∗ --------------------------------------------- In der neuen Major Release 2.0 erhält das Threat-Intelligence-Werkzeug IntelOwl mehrere neue Analysatoren. Das Tool erscheint als Open-Source-Software. --------------------------------------------- https://heise.de/-5002685 ===================== = Vulnerabilities = ===================== ∗∗∗ Zend Framework remote code execution vulnerability revealed ∗∗∗ --------------------------------------------- An untrusted deserialization vulnerability has been disclosed in Zend Framework which can be used by attackers to achieve remote code execution on PHP sites. Portions of Laminas Project may also be impacted by this flaw, tracked as CVE-2021-3007. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zend-framework-remote-code-e… ∗∗∗ Zyxel hat Backdoor in Firewalls einprogrammiert ∗∗∗ --------------------------------------------- Zyxel Networks hat in Firewalls und Access-Point-Controller Hintertüren eingebaut und das Passwort verraten. Für die Firewalls gibt es ein Update. --------------------------------------------- https://heise.de/-5002067 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, openjpeg2, openssl, qemu, tensorflow, and thunderbird) and Debian (highlight.js). --------------------------------------------- https://lwn.net/Articles/841498/ ∗∗∗ Security updates for the start of 2021 ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java and p11-kit), Mageia (curl and minidlna), and openSUSE (groovy). --------------------------------------------- https://lwn.net/Articles/841544/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dovecot, flac, influxdb, libhibernate3-java, and p11-kit), Fedora (ceph and guacamole-server), Mageia (audacity, gdm, libxml2, rawtherapee, and vlc), openSUSE (jetty-minimal and privoxy), Red Hat (kernel and kernel-rt), SUSE (gimp), and Ubuntu (libproxy). --------------------------------------------- https://lwn.net/Articles/841653/ ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability in Huawei CloudEngine Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201230-… ∗∗∗ Apache Tomcat vulnerability CVE-2020-17527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44415301 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily