- Daily - CERT.at

Tageszusammenfassung - 25.03.2021
by Daily end-of-shift report 25 Mar '21

25 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-03-2021 18:00 − Donnerstag 25-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco fixt Remote-Lücken in Jabber-Clients für Windows, macOS & mobile Systeme ∗∗∗ --------------------------------------------- Ein Update schließt teils als kritisch eingestufte Einfallstore in Ciscos Jabber-Client für Win, macOS, Android & iOS. Auch weitere Produkte erhielten Updates. --------------------------------------------- https://heise.de/-5997987 ∗∗∗ IETF erklärt TLS-Urväter 1.0 und 1.1 als veraltet ∗∗∗ --------------------------------------------- Schwache Kryptografie und reichlich Sicherheitslücken haben zum Ende von TLS 1.0 und 1.1 geführt. --------------------------------------------- https://heise.de/-5997963 ∗∗∗ Fleeceware lockt in Abofallen ∗∗∗ --------------------------------------------- Forscher von Avast haben Hunderte von Fleeceware-Mobilfunk-Apps auf Google Play und im Apple App Store entdeckt, mit denen ihre Entwickler Millionen von Dollar verdienen. --------------------------------------------- https://www.zdnet.de/88394043/fleeceware-lockt-in-abofallen/ ∗∗∗ QNAP warns of ongoing brute-force attacks against NAS devices ∗∗∗ --------------------------------------------- QNAP warns customers of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urges them to immediately take action to mitigate them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ongoing-brute-… ∗∗∗ Threat landscape for industrial automation systems. Statistics for H2 2020 ∗∗∗ --------------------------------------------- We continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-s… ∗∗∗ Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis ∗∗∗ --------------------------------------------- On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]. We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already [...] --------------------------------------------- https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855… ∗∗∗ From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts) ∗∗∗ --------------------------------------------- Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-creati… ∗∗∗ Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild ∗∗∗ --------------------------------------------- On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s "Legacy" Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-th… ∗∗∗ Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system. --------------------------------------------- https://www.securityweek.com/mamba-ransomware-leverages-diskcryptor-encrypt… ∗∗∗ Webshells Observed in Post-Compromised Exchange Servers ∗∗∗ --------------------------------------------- CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observe… ===================== = Vulnerabilities = ===================== ∗∗∗ Kryptobibliothek: OpenSSL-Lücke in Zertifikatschecks ∗∗∗ --------------------------------------------- Ein Fehler von OpenSSL bei der Zertifikatsvalidierung betrifft nur wenige Anwendungen, ein weiterer Bug lässt Server abstürzen. --------------------------------------------- https://www.golem.de/news/kryptobibliothek-openssl-luecke-in-zertifikatsche… ∗∗∗ SAP® Privilege Escalation durch ABAP Code Injection in SAP® Business Warehouse ∗∗∗ --------------------------------------------- Dieser Blogpost soll einen Überblick über eine kritische ABAP Code Injection-Schwachstelle innerhalb des Funktionsbausteins RSDMD_BATCH_CALL im SAP® Business Warehouse geben und dessen Auswirkungen verdeutlichen. --------------------------------------------- https://sec-consult.com/de/blog/detail/privilege-escalation-abap-code-injec… ∗∗∗ Two Vulnerabilities Patched in Facebook for WordPress Plugin ∗∗∗ --------------------------------------------- On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-faceb… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/850498/ ∗∗∗ Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91610944?utm_source=f5support&utm_mediu… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0308 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities (CVE-2020-28851 and CVE-2020-28852) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-3114 and CVE-2021-3115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager (Oct 2020 and Jan 2021 CPUs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 – Log4j Deserialization Remote Code Execution (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufactu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2021
by Daily end-of-shift report 24 Mar '21

24 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-03-2021 18:00 − Mittwoch 24-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft warns of phishing attacks bypassing email gateways ∗∗∗ --------------------------------------------- An ongoing phishing operation that stole an estimated 400,000 OWA and Office 365 credentials since December has now expanded to abuse new legitimate services to bypass secure email gateways (SEGs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers ∗∗∗ --------------------------------------------- Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities. --------------------------------------------- https://thehackernews.com/2021/03/purple-fox-rootkit-can-now-spread.html ∗∗∗ Zahlreiche negative Bewertungen zu fashionmanufaktur.at ∗∗∗ --------------------------------------------- Seit Monaten häufen sich negative Erfahrungen und Bewertungen zahlreicher KonsumentInnen zum Online-Shop fashionmanufaktur.at. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-negative-bewertungen-zu-f… ∗∗∗ Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech ∗∗∗ --------------------------------------------- We describe trends in COVID-19 themed phishing attacks since the start of the pandemic to gain insight into the topics that attackers try to exploit. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-phishing-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-354: (0Day) Lepide Active Directory Self Service Backup Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Lepide Active Directory Self Service. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-354/ ∗∗∗ Cisco Security Advisories 2021-03-24 ∗∗∗ --------------------------------------------- 1 Critical, 18 High, 19 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4,[...] --------------------------------------------- https://lwn.net/Articles/850352/ ∗∗∗ SaltStack revises partial patch for command injection, privilege escalation vulnerability ∗∗∗ --------------------------------------------- The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure. --------------------------------------------- https://www.zdnet.com/article/saltstack-revises-partial-patch-for-command-i… ∗∗∗ Uncontrolled Search Path Element in Multiple Bosch Products ∗∗∗ --------------------------------------------- BOSCH-SA-835563-BT: Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as "DLL Hijacking" or "DLL Preloading"). --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-835563-bt.html ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storage System where an attacker could cause a denial of service (CVE-2020-5015) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -[All] jQuery (Publicly disclosed vulnerability) – 180875 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2020-14803, CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM® SDK, Java™ Technology Edition shipped with IBM Tivoli Netcool Impact (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0522 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37283878 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0523 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31445234 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0524 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83504933 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0525 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44482551 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0306 ∗∗∗ Pro-FTPd: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0304 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2021
by Daily end-of-shift report 23 Mar '21

23 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-03-2021 18:00 − Dienstag 23-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Popular Remote Lesson Monitoring Program Might be Exploited by Attackers ∗∗∗ --------------------------------------------- Netop is a software specialized in providing visibility over student activities, that lets teachers see what their students see, in this way the teachers can also share their screen, lock student screens and keyboards and block websites with the click of a button. The software designed and advertised for helping teachers keep control of lessons [...] --------------------------------------------- https://heimdalsecurity.com/blog/lesson-monitoring-program-exploited/ ∗∗∗ Secure containerized environments with updated threat matrix for Kubernetes ∗∗∗ --------------------------------------------- The updated threat matrix for Kubernetes adds new techniques found by Microsoft researchers, as well as techniques that were suggested by the community. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-env… ∗∗∗ Nim Strings, (Mon, Mar 22nd) ∗∗∗ --------------------------------------------- On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language. --------------------------------------------- https://isc.sans.edu/diary/rss/27230 ∗∗∗ Intel-Prozessoren: Zwei undokumentierte Befehle für Microcode enttarnt ∗∗∗ --------------------------------------------- Sicherheitsexperten entdecken Befehle, mit denen sich das Verhalten von Intel-Prozessoren ändern lässt - bisher jedoch nur in einem speziellen Debugging-Modus. --------------------------------------------- https://heise.de/-5994965 ∗∗∗ Erpressung per E-Mail: Kriminelle fordern Bitcoins ∗∗∗ --------------------------------------------- Momentan werden vermehrt betrügerische Erpressungsmails versendet. Kriminelle behaupten darin, sie hätten Ihre Geräte gehackt und könnten nun alles was Sie tun, live beobachten. Angeblich hätten sie Beweise, dass Sie regelmäßig auf Porno-Seiten surfen. Sogar ein Video, das Sie beim Masturbieren zeigt, sollte existieren. Damit dieses von den Kriminellen nicht veröffentlicht wird, fordern sie die Überweisung von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-for… ∗∗∗ Ransomware gangs have found another set of new targets: Schools and universities ∗∗∗ --------------------------------------------- National Cyber Security Centre issues advice on how to protect networks from cyber criminals after a spike in ransomware attacks causing disruption across the education sector over the last month --------------------------------------------- https://www.zdnet.com/article/ransomware-attacks-against-schools-are-rocket… ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Versionen: Firefox 87, Firefox ESR und Thunderbird 78.9 mit Security-Fixes ∗∗∗ --------------------------------------------- Updates für Firefox, Firefox ESR und den E-Mail-Client Thunderbird umfassen neben funktionalen Neuerungen auch Fixes für Schwachstellen. --------------------------------------------- https://heise.de/-5996236 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, libmediainfo, and mariadb-10.1), Fedora (dotnet5.0, moodle, and radare2), Mageia (kernel and kernel-linus), Oracle (python27:2.7, python36:3.6, and python38:3.8), Red Hat (pki-core:10.6), and Ubuntu (privoxy). --------------------------------------------- https://lwn.net/Articles/850188/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0002.html ∗∗∗ Synology-SA-21:12 Synology Calendar ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_12 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-082-01 ∗∗∗ GE MU320E ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, Execution with Unnecessary Privileges, and Inadequate Encryption Strength vulnerabilities in GE MU320E firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02 ∗∗∗ GE Reason DR60 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Hard-coded Password, Code Injection, and Execution with Unnecessary Privileges vulnerabilities in GE Reason DR60 digital fault recorder products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-03 ∗∗∗ Ovarro TBox ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-054-04P Ovarro TBox that posted to the HSIN ICS library on February 23, 2021 This advisory contains mitigations for Code Injection, Incorrect Permission Assignment for Critical Resource, Uncontrolled Resource Consumption, Insufficiently Protected Credentials, and Use of Hard-coded Cryptographic Key vulnerabilities in Ovarro TBox remote terminal units (RTUs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-04 ∗∗∗ Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Lift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lift/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0299 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2021
by Daily end-of-shift report 22 Mar '21

22 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-03-2021 18:00 − Montag 22-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DDoS booters now abuse DTLS servers to amplify attacks ∗∗∗ --------------------------------------------- DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-… ∗∗∗ Microsoft Exchange servers now targeted by BlackKingdom ransomware ∗∗∗ --------------------------------------------- Another ransomware operation known as BlackKingdom is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-n… ∗∗∗ Office 365 Phishing Attack Targets Financial Execs ∗∗∗ --------------------------------------------- Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. --------------------------------------------- https://threatpost.com/office-365-phishing-attack-financial-execs/164925/ ∗∗∗ Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online ∗∗∗ --------------------------------------------- Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online [...] --------------------------------------------- https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html ∗∗∗ Multi-factor Authentication. Reset MFA you say? ∗∗∗ --------------------------------------------- MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2SV... Anyway, when we’re red teaming, MFA [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/multi-factor-authentication-r… ∗∗∗ Auf Willhaben inseriert? Vorsicht vor mob-willhaben.at SMS! ∗∗∗ --------------------------------------------- Zahlreiche Willhaben-UserInnen wenden sich derzeit an die Watchlist Internet, weil sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Das Gemeine an der Sache: Die Personen bieten gerade tatsächlich Waren auf Willhaben an. In der SMS wird meist behauptet, jemand habe für die Ware bezahlt. Ein enhaltener Link führt auf eine gefälschte Willhaben-Seite, die Daten abgreifen und einen Trojaner installieren möchte. --------------------------------------------- https://www.watchlist-internet.at/news/auf-willhaben-inseriert-vorsicht-vor… ∗∗∗ Metamorfo/Mekotio Banking Trojan Uses AutoHotKey Scripting ∗∗∗ --------------------------------------------- The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe. This trojan is one that makes use of a little known scripting language known as AutoHotKey (AHK). --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/6e934f1121d09aff346710499c0… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-342: Samsung Galaxy S20 libimagecodec Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Samsung Galaxy S20. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-342/ ∗∗∗ Apache OFBiz: Update beseitigt Remote-Lücke aus Open-Source-ERP-Software ∗∗∗ --------------------------------------------- Die quelloffene Enterprise Resource Planning-Software OFBiz war aus der Ferne angreifbar. Eine abgesicherte Version und ein Patch stehen bereit. --------------------------------------------- https://heise.de/-5994429 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and [...] --------------------------------------------- https://lwn.net/Articles/850068/ ∗∗∗ Adobe Patches Critical ColdFusion Security Flaw ∗∗∗ --------------------------------------------- Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the platform used for building and deploying mobile and web apps. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-coldfusion-security-flaw ∗∗∗ TMM vulnerability CVE-2021-23007 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37451543 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0297 ∗∗∗ UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12737530/ ∗∗∗ Security updates available in Foxit Reader 10.1.3, Foxit PhantomPDF 10.1.3 and 3D Plugin Beta 10.1.3.37598 ∗∗∗ --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.html ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Websphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts framework affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2021
by Daily end-of-shift report 19 Mar '21

19 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-03-2021 18:00 − Freitag 19-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Defender Antivirus behebt Sicherheitslücken in Exchange Server ∗∗∗ --------------------------------------------- Microsoft hat ein automatisches Entschärfungstool in Defender Antivirus implementiert, um kritische Sicherheitslücken in Exchange Server zu schließen, denn auch nach Wochen sind immer noch zehntausende Server ungepatcht. --------------------------------------------- https://www.zdnet.de/88393956/microsoft-defender-antivirus-behebt-sicherhei… ∗∗∗ New CopperStealer malware steals Google, Apple, Facebook accounts ∗∗∗ --------------------------------------------- Previously undocumented account-stealing malware distributed via fake software crack sites targets the users of major service providers, including Google, Facebook, Amazon, and Apple. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-copperstealer-malware-st… ∗∗∗ REvil ransomware has a new ‘Windows Safe Mode’ encryption mode ∗∗∗ --------------------------------------------- The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-w… ∗∗∗ Sicherheitslücken: Hackergruppe nutzte 11 Zero Days in einem Jahr ∗∗∗ --------------------------------------------- Googles Project Zero berichtet über eine Hacker-Gruppe, die reihenweise Zero Days nutzte, um komplett gepatchte Geräte ihrer Opfer zu hacken. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hackergruppe-nutzte-11-zero-da… ∗∗∗ Easy SMS Hijacking ∗∗∗ --------------------------------------------- Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money - in this case, $16 off an anonymous prepaid credit card - and a few lies, you can forward the text messages from any phone to any other phone. --------------------------------------------- https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html ∗∗∗ Vorsicht bei der Urlaubsbuchung: Unseriöse Webseiten verlocken mit günstigen Angeboten ∗∗∗ --------------------------------------------- Lust auf die Malediven? Vielleicht auch auf Phuket? Oder wollen Sie aufgrund der anhaltenden Corona-Krise doch lieber Urlaub zuhause machen: In Wien? Oder im Tiroler Mayrhofen? Unterkünfte in diesen Reisezielen werden derzeit von unseriösen Buchungsplattformen angeboten. Wir zeigen Ihnen, auf welchen Webseiten Sie lieber nicht buchen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-unse… ∗∗∗ Beware Android trojan posing as Clubhouse app ∗∗∗ --------------------------------------------- The malware can grab login credentials for more than 450 apps and bypass SMS-based two-factor authentication --------------------------------------------- https://www.welivesecurity.com/2021/03/18/beware-android-trojan-posing-club… ∗∗∗ AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool ∗∗∗ --------------------------------------------- This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-077a ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Schwachstellen in SOYAL Biometric Access Control System 5.0 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen im Produkt Biometric Access Control System des Herstellers SOYAL gefunden. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Mehrere Schwachstellen in KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen in Wi-Fi/VoIP CPEs der Hersteller KZ Broadband Technologies, Jaton und Neotel gefunden, darunter auch eine RCE --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and pki-core), Debian (shibboleth-sp, shibboleth-sp2, and squid3), openSUSE (libmysofa and privoxy), Oracle (bind), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/849847/ ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Information Exposure vulnerability in Exacq Technologies exacqVision web service. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-01 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Hitachi ABB Power Grids eSOMS software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-02 ∗∗∗ Hitachi ABB Power Grids eSOMS Telerik ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, and Insufficiently Protected Credentials vulnerabilities in some Hitachi ABB Power Grids eSOMS products using Telerik software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03 ∗∗∗ Rockwell Automation Logix Controllers (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that was published February 25, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 ∗∗∗ Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37607293/ ∗∗∗ March 17, 2021 TNS-2021-04 [R1] Nessus Agent 8.2.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-04-0 ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security vulnerable to a stack-based buffer overflow (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2021
by Daily end-of-shift report 18 Mar '21

18 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-03-2021 18:00 − Donnerstag 18-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions ∗∗∗ --------------------------------------------- Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals. --------------------------------------------- https://www.shadowserver.org/news/uk-foreign-commonwealth-development-offic… ∗∗∗ SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests ∗∗∗ --------------------------------------------- Existing victim networks are used to test out payloads as a novel form of sandbox. --------------------------------------------- https://www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-ab… ∗∗∗ TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/ttp-table-detecti… ∗∗∗ ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet ∗∗∗ --------------------------------------------- DDoS-for-hire services adopt new technique that amplifies attacks 37 fold. --------------------------------------------- https://arstechnica.com/?p=1750512 ∗∗∗ New XcodeSpy malware targets iOS devs in supply-chain attack ∗∗∗ --------------------------------------------- A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developers computer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets… ∗∗∗ Convuster: macOS adware now in Rust ∗∗∗ --------------------------------------------- Convuster adware for macOS is written in Rust and able to use Gatekeeper to evade analysis. --------------------------------------------- https://securelist.com/convuster-macos-adware-in-rust/101258/ ∗∗∗ Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux ∗∗∗ --------------------------------------------- Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon system has detected that Necro has started spreading again, [...] --------------------------------------------- https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-d… ∗∗∗ Server Side Data Exfiltration via Telegram API ∗∗∗ --------------------------------------------- One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration. What’s more, attackers may be able to accomplish this feat with a few mere lines of code. --------------------------------------------- https://blog.sucuri.net/2021/03/server-side-data-exfiltration-via-telegram-… ∗∗∗ Simple Python Keylogger ∗∗∗ --------------------------------------------- A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if its a juicy one or not. --------------------------------------------- https://isc.sans.edu/diary/rss/27216 ∗∗∗ Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability ∗∗∗ --------------------------------------------- On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, [...] --------------------------------------------- https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-v… ∗∗∗ NimzaLoader Malware ∗∗∗ --------------------------------------------- NimzaLoader is a new initial access malware that is relatively unique in its usage of the Nim programming language. Proofpoint observed this malware being distributed in a TA800 email campaign in place of BazaLoader --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/0a3e6c8474f098e6b497c889ebd… ===================== = Vulnerabilities = ===================== ∗∗∗ SYSS-2020-044: Sicherheitsproblem in Screen Sharing-Funktionalität von Zoom (CVE-2021-28133) ∗∗∗ --------------------------------------------- SySS Proof of Concept Video demonstriert ein Sicherheitsproblem in der Screen Sharing-Funktion der Videokonferenzsoftware Zoom. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen… ∗∗∗ Tutor LMS for WordPress Open to Info-Stealing Security Holes ∗∗∗ --------------------------------------------- The popular learning-management system for teacher-student communication is rife with SQL-injection vulnerabilities. --------------------------------------------- https://threatpost.com/tutor-lms-wordpress-security-holes/164868/ ∗∗∗ Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites ∗∗∗ --------------------------------------------- A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an [...] --------------------------------------------- https://thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html ∗∗∗ ZDI-21-337: Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-337/ ∗∗∗ ZDI-21-341: (0Day) (Pwn2Own) Sony X800H Smart TV Vewd Type-Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sony X800H Smart TV. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-341/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (velocity-tools), Fedora (switchboard-plug-bluetooth), Mageia (discover, flatpak, and xmlgraphics-commons), openSUSE (chromium and python), Oracle (kernel, kernel-container, and pki-core), Red Hat (openvswitch2.11 and ovn2.11, python-django, qemu-kvm-rhev, and rubygem-em-http-request), and SUSE (crmsh, openssl1, and php53). --------------------------------------------- https://lwn.net/Articles/849737/ ∗∗∗ Xen: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0289 ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0287 ∗∗∗ Security Bulletin: z/TPF is affected by OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-open… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Security Guardium External S-TAP is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ext… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: March 2021 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-multiple-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Resilient vulnerable to username enumeration (CVE-2020-4635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-vulnerable-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2021
by Daily end-of-shift report 17 Mar '21

17 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-03-2021 18:00 − Mittwoch 17-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mimecast says SolarWinds hackers breached its network and spied on customers ∗∗∗ --------------------------------------------- Mimecast-issued certificate used to connect to customers’ Microsoft 365 tenants. --------------------------------------------- https://arstechnica.com/?p=1750098 ∗∗∗ Twitter images can be abused to hide ZIP, MP3 files — heres how ∗∗∗ --------------------------------------------- Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twitter-images-can-be-abused… ∗∗∗ Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/16/guidance-for-responders-inve… ∗∗∗ Microsoft Exchange Server: These quarterly updates include fixes for security flaws ∗∗∗ --------------------------------------------- Microsoft releases Exchange Server 2016 and 2019 cumulative updates that address critical flaws. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-server-these-quarterly-upd… ∗∗∗ New ICS Threat Activity Group: VANADINITE ∗∗∗ --------------------------------------------- The new VANADINITE activity group targets electric utilities, oil and gas, manufacturing, telecommunications, and transportation. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-van… ∗∗∗ So hacken Kriminelle unbemerkt Ihre Website, um Fake-Shops zu betreiben ∗∗∗ --------------------------------------------- Sicherheitslücken auf Websites von Unternehmen und Vereinen werden auch genutzt, um Fake-Shops zu platzieren. Mittels Cloaking leiten Kriminelle die BesucherInnen zu Fake-Shops um. Die betroffenen Unternehmen und Vereine wissen nichts davon. Wir erklären Ihnen, wie Cloaking funktioniert und was Sie dagegen machen können. --------------------------------------------- https://www.watchlist-internet.at/news/so-hacken-kriminelle-unbemerkt-ihre-… ∗∗∗ New Mirai Variant Targeting Network Security Devices ∗∗∗ --------------------------------------------- We discovered ongoing attacks leveraging IoT vulnerabilities, including in network security devices, to serve a Mirai variant. --------------------------------------------- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ ∗∗∗ NIS2 Proposal: First feedback on the normative text ∗∗∗ --------------------------------------------- After looking at the recitals a few weeks ago, here is my feedback on the normative text of the NIS2 proposal. --------------------------------------------- https://cert.at/en/blog/2021/3/nis2-proposal-first-feedback-on-the-normativ… ∗∗∗ CISA-FBI Joint Advisory on TrickBot Malware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/cisa-fbi-joint-ad… ∗∗∗ CVE-2021-27076: A Replay-Style Deserialization Attack Against SharePoint ∗∗∗ --------------------------------------------- An attacker is frequently in the position of having to find a technique to evade some data integrity measure implemented by a target. --------------------------------------------- https://www.thezdi.com/blog/2021/3/17/cve-2021-27076-a-replay-style-deseria… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher adds their package to Microsoft Azure SDK releases list ∗∗∗ --------------------------------------------- A security researcher was able to add their own test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-adds-their-packag… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (shadow, tor, and velocity), Fedora (gsoap, qt5-qtsvg, and switchboard-plug-bluetooth), Mageia (batik, chromium-browser-stable, glibc, ksh, and microcode), openSUSE (389-ds, connman, freeradius-server, froxlor, openssl-1_0_0, openssl-1_1, postgresql12, and python-markdown2), Red Hat (bind, curl, kernel, nss and nss-softokn, perl, python, and tomcat), Scientific Linux (ipa, kernel, and pki-core), SUSE (glib2 and velocity), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/849622/ ∗∗∗ WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN08191557/ ∗∗∗ Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by multiple vulnerabilities in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition for Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Rational Application Developer is vulnerable to CVE-2020-2773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-application-deve… ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by a vulnerability (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update February 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-13434, CVE-2020-13435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilties have been fixed in the IBM Security Access Manager and IBM Security Verify Access appliances. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2021
by Daily end-of-shift report 16 Mar '21

16 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-03-2021 18:30 − Dienstag 16-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FBI warns of escalating Pysa ransomware attacks on education orgs ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa… ∗∗∗ One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 ∗∗∗ --------------------------------------------- We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/15/one-click-microsoft-exchange… ∗∗∗ Videokonferenzen: Damit Vertrauliches vertraulich bleibt ∗∗∗ --------------------------------------------- Durch die Corona-Pandemie hat die Nutzung von Videokonferenzlösungen in Verwaltung und Wirtschaft erheblich zugenommen. Die Systeme dienen dabei nicht nur der Kommunikation, sondern auch dem gemeinsamen Erstellen und Bearbeiten von Dokumenten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Eine Rasterbrille auf ayurreadpro.com kaufen? – Wir raten davon ab! ∗∗∗ --------------------------------------------- Wer online nach Möglichkeiten zur Verbesserung der Sehkraft oder Methoden zum Augentraining sucht, stoßt höchstwahrscheinlich auf Rasterbrillen. Rasterbrillen sind schwarze Kunststoffbrillen mit Lochmuster in den „Gläsern“, die angeblich Sehschwächen vorbeugen und verbessern. Für die Wirksamkeit der knapp 60 Euro-Brille gibt es jedoch keine wissenschaftlich bestätigten Studien. Im Extremfall könnten sogar ernstzunehmende Schäden [...] --------------------------------------------- https://www.watchlist-internet.at/news/eine-rasterbrille-auf-ayurreadprocom… ∗∗∗ Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th) ∗∗∗ --------------------------------------------- Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants. --------------------------------------------- https://isc.sans.edu/diary/rss/27204 ∗∗∗ Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks ∗∗∗ --------------------------------------------- A new research has yielded yet another means to pilfer sensitive data by exploiting whats the first "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this [...] --------------------------------------------- https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html ∗∗∗ Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution ∗∗∗ --------------------------------------------- We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. --------------------------------------------- https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonit… ∗∗∗ Hackers are targeting telecoms companies to steal 5G secrets ∗∗∗ --------------------------------------------- Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world. --------------------------------------------- https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-s… ∗∗∗ Exploring my doorbell ∗∗∗ --------------------------------------------- Ive talked about my doorbell before, but started looking at it again this week because sometimes it simply doesnt send notifications to my Home Assistant setup - the push notifications appear on my phone, but the doorbell simply doesnt trigger the HTTP callback its meant to[1]. This is obviously suboptimal, but its also tricky to debug a device when you have no access to it. --------------------------------------------- https://mjg59.dreamwidth.org/56345.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/849501/ ∗∗∗ This years-old Microsoft Office vulnerability is still popular with hackers, so patch now ∗∗∗ --------------------------------------------- Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware. --------------------------------------------- https://www.zdnet.com/article/this-years-old-microsoft-office-vulnerability… ∗∗∗ Aktuelle Zahlen zu den Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 1074 Exchange Server nach wie vor ungepatched (Stand: 2021-03-16). Nach den ersten aktiven Scans zwischen dem 9. und 12. März waren es noch 2236. Bisher wurden 465 Webshells von Shadowserver und Kryptos Logic in Österreich gefunden. Die initiale Patch-Disziplin war anscheinend hoch. Wenn möglich, Microsofts Script unter https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-pr… zum Finden und Mitigieren von Webshells [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwach… ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-01 ∗∗∗ GE UR family ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in GE UR family of protection and control relays. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02 ∗∗∗ Hitachi ABB Power Grids AFS Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Infinite Loop vulnerability in Hitachi ABB Power Grids AFS Series products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-03 ∗∗∗ BD Alaris 8015 PC Unit (Update B) ∗∗∗ --------------------------------------------- [...] This advisory contains compensating controls to reduce the risk of exploitation of insufficiently protected credentials and security features vulnerabilities in BD Alaris 8015 Point of Care units, which provide a common user interface for programming [...] --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02 ∗∗∗ DP API encryption ineffective in Windows containers: Publicly Available Cryptographic Keys (CVE-2021-1645) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in the DP API key management of Windows containers. This vulnerability was assigned CVE-2021-1645 by Microsoft [1] and allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. This vulnerability was discovered in close cooperation with SignPath [2]. --------------------------------------------- https://certitude.consulting/blog/en/windows-docker-dp-api-vulnerability-cv… ∗∗∗ Apache Tomcat vulnerability CVE-2021-25329 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73648110 ∗∗∗ Apache Tomcat vulnerability CVE-2021-25122 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00174195 ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0276 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0275 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into log files (CVE-2020-4851) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2021
by Daily end-of-shift report 15 Mar '21

15 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-03-2021 18:30 − Montag 15-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Protecting on-premises Exchange Servers against recent attacks ∗∗∗ --------------------------------------------- While Microsoft has regular methods for providing tools to update software, this extraordinary situation calls for a heightened approach. In addition to our regular software updates, we are also providing specific updates for older and out-of-support software with the intent to make it as easy as possible to quickly protect your business. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-e… ∗∗∗ Update verfügbar! ∗∗∗ --------------------------------------------- Zum internationalen Weltverbrauchertag gibt das BSI Informationen und Hinweise zur einfachen und automatischen Installation von Software-Aktualisierungen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Research: Security Agencies Expose Information via Improperly Sanitized PDFs ∗∗∗ --------------------------------------------- Most security agencies fail to properly sanitize Portable Document Format (PDF) files before publishing them, thus exposing potentially sensitive information and opening the door for attacks, researchers have discovered. read more --------------------------------------------- https://www.securityweek.com/research-security-agencies-expose-information-… ===================== = Vulnerabilities = ===================== ∗∗∗ Three Flaws in the Linux Kernel Since 2006 Could Grant Root Privileges ∗∗∗ --------------------------------------------- "Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or youve compromised some service that doesnt have repaired permissions, you can do whatever you want basically," said Adam Nichols, [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/d0iuqi9zTtI/three-flaws-in-… ∗∗∗ Sicherheitsupdate: Angreifer nehmen erneut Google Chrome ins Visier ∗∗∗ --------------------------------------------- Die Chrome-Entwickler haben im Webbrowser fünf Sicherheitslücken geschlossen. Eine Schwachstellen sollen Angreifer derzeit ausnutzen. --------------------------------------------- https://heise.de/-5987831 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ca-certificates, flatpak, golang-1.7, golang-1.8, mupdf, pygments, and tiff), Fedora (containerd, golang-github-containerd-cri, mingw-gdk-pixbuf, mingw-glib2, mingw-jasper, mingw-python-jinja2, mingw-python-pillow, mingw-python3, python-django, python-pillow, and python2-pillow), Mageia (git, mediainfo, netty, python-django, and quartz), openSUSE (crmsh, git, glib2, kernel-firmware, openldap2, stunnel, and wpa_supplicant), Oracle (qemu), Red Hat [...] --------------------------------------------- https://lwn.net/Articles/849406/ ∗∗∗ GnuTLS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0273 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Streams Flows might be affected by some underlying Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-flows-might-be-af… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's API Manager is vulnerable to invitation and registration link tampering (CVE-2021-20440) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-api-mana… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4448) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by remote code execution (CVE-2020-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2021
by Daily end-of-shift report 12 Mar '21

12 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-03-2021 18:30 − Freitag 12-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sie warten auf ein Paket? Vorsicht vor dieser betrügerischen E-Mail! ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Sie durch falsche Behauptungen in eine Abo-Falle zu locken oder an Ihre Daten zu kommen. Derzeit melden uns LeserInnen betrügerische E-Mails, in denen behauptet wird, dass ein Paket nicht zugestellt werden kann, da die Adresse fehle. Doch Vorsicht: Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/sie-warten-auf-ein-paket-vorsicht-vo… ∗∗∗ Zusatzkosten & lange Lieferzeiten? So vermeiden Sie Probleme bei Online-Shops außerhalb der EU! ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Das gilt insbesondere für Shops, die entweder Ihren Sitz außerhalb der EU haben oder von außerhalb der EU liefern lassen. Wir zeigen Ihnen, auf was Sie achten müssen, damit Sie keine bösen Überraschungen beim Online-Shopping im Ausland erleben! --------------------------------------------- https://www.watchlist-internet.at/news/zusatzkosten-lange-lieferzeiten-so-v… ∗∗∗ New DEARCRY Ransomware is targeting Microsoft Exchange Servers ∗∗∗ --------------------------------------------- A new ransomware called DEARCRY is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-ta… ∗∗∗ What Are BEC Attacks? ∗∗∗ --------------------------------------------- Otherwise known as BEC, Business e-mail compromise happens when an attacker hacks into a corporate e-mail account and impersonates the real owner with the sole purpose to defraud the company, its customers, partners and/or employees into sending money or sensitive data to the attacker’s account. Also known as the “man-in-the-email” attack, BEC scams start with [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-are-bec-attacks/ ∗∗∗ New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims ∗∗∗ --------------------------------------------- In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came across a botnet uses honeypot to harvest other infected devices, which is quite interesting. --------------------------------------------- https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/ ∗∗∗ A Spectre proof-of-concept for a Spectre-proof web ∗∗∗ --------------------------------------------- Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still [...] --------------------------------------------- https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spec… ∗∗∗ Mac Malware XCSSET Adapted for Devices With M1 Chips ∗∗∗ --------------------------------------------- An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip. --------------------------------------------- https://www.securityweek.com/mac-malware-xcsset-adapted-devices-m1-chips ∗∗∗ New Browser Attack Allows Tracking Users Online With JavaScript Disabled ∗∗∗ --------------------------------------------- [...] the latest research released this week aims to bypass such browser-based mitigations by implementing a side-channel attack called "CSS Prime+Probe" constructed solely using HTML and CSS, allowing the attack to work even in hardened browsers like Tor, Chrome Zero, and DeterFox that have JavaScript fully disabled or limit the resolution of the timer API. --------------------------------------------- https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144) ∗∗∗ --------------------------------------------- The D-Link DIR-3060 (running firmware versions below v1.11b04) is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to a DIR-3060 would be able to run arbitrary system commands on the device as the system "admin" user, with root privileges. D-Link has released a patched firmware version v1.11b04 Hotfix 2 to address this issue. Affected users are advised to apply the patch. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/849208/ ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in Schneider Electric IGSS SCADA software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0266 ∗∗∗ NetBSD Foundation NetBSD OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0270 ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-8277 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-26116 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2021
by Daily end-of-shift report 11 Mar '21

11 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-03-2021 18:30 − Donnerstag 11-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Der Hafnium Exchange-Server-Hack: Anatomie einer Katastrophe ∗∗∗ --------------------------------------------- Hätte Microsoft den Massenhack von Exchange-Servern mit rascheren Reaktionen verhindern verhindern können? Der Ablauf der Ereignisse wirft Fragen auf. --------------------------------------------- https://heise.de/-5077269 ∗∗∗ NAT-Slipstreaming-Angriffe: Es kommt noch schlimmer ∗∗∗ --------------------------------------------- Zeit zu handeln: Mit dem NAT-Slipstreaming 2.0 können Kriminelle nicht nur das Gerät des Opfers, sondern jede IP-Adresse im Netzwerk angreifen. --------------------------------------------- https://heise.de/-5078104 ∗∗∗ Exchange-Lücken: Jetzt kommt die Cybercrime-Welle mit Erpressung ∗∗∗ --------------------------------------------- Ein öffentlicher Exploit für die Sicherheitslücken in Microsoft Exchange bedeutet, dass die ersten Erpressungsfälle vor der Tür stehen. --------------------------------------------- https://heise.de/-5078180 ∗∗∗ F5 Announces Critical BIG-IP pre-auth RCE bug ∗∗∗ --------------------------------------------- F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook). The patch refers to the four critical vulnerabilities listed below and also includes a pre-auth RCE security flaw (CVE-2021-22986) that allows unauthenticated [...] --------------------------------------------- https://heimdalsecurity.com/blog/f5-announces-critical-bug/ ∗∗∗ FIN8 Resurfaces with Revamped Backdoor Malware ∗∗∗ --------------------------------------------- The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems. --------------------------------------------- https://threatpost.com/fin8-resurfaces-backdoor-malware/164684/ ∗∗∗ Piktochart - Phishing with Infographics, (Thu, Mar 11th) ∗∗∗ --------------------------------------------- In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart. --------------------------------------------- https://isc.sans.edu/diary/rss/27194 ∗∗∗ Magento 2 PHP Credit Card Skimmer Saves to JPG ∗∗∗ --------------------------------------------- Bad actors often leverage creative techniques to conceal malicious behaviour and harvest sensitive information from ecommerce websites. A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file. --------------------------------------------- https://blog.sucuri.net/2021/03/magento-2-php-credit-card-skimmer-saves-to-… ∗∗∗ Home Assistant, Pwned Passwords and Security Misconceptions ∗∗∗ --------------------------------------------- Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter Ive come to love as Ive embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently:always something. --------------------------------------------- https://www.troyhunt.com/home-assistant-pwned-passwords-and-security-miscon… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant). --------------------------------------------- https://lwn.net/Articles/849088/ ∗∗∗ Security Advisory - Sudo Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210310… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0260 ∗∗∗ Linux kernel ext3/ext4 file system vulnerability CVE-2020-14314 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67830124 ∗∗∗ glibc vulnerability CVE-2019-25013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68251873 ∗∗∗ glibc vulnerability CVE-2020-29573 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27238230 ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is Affected by Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Symbolic Link Permissions Problem Modeler Subscription Installer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-symbolic-link-permissions… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by vulnerability in jackson-databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2021
by Daily end-of-shift report 10 Mar '21

10 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-03-2021 18:30 − Mittwoch 10-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht ∗∗∗ --------------------------------------------- Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht. --------------------------------------------- https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-… ∗∗∗ Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS ∗∗∗ --------------------------------------------- (Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands. --------------------------------------------- https://mjg59.dreamwidth.org/56106.html ∗∗∗ Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ∗∗∗ --------------------------------------------- Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vu… ∗∗∗ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th) ∗∗∗ --------------------------------------------- With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold? --------------------------------------------- https://isc.sans.edu/diary/rss/27188 ∗∗∗ Researchers Unveil New Linux Malware Linked to Chinese Hackers ∗∗∗ --------------------------------------------- Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog. --------------------------------------------- https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html ∗∗∗ Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks ∗∗∗ --------------------------------------------- Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code. --------------------------------------------- https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expo… ∗∗∗ Targeted HelloKitty Ransomware Attack ∗∗∗ --------------------------------------------- SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac70… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday - March 2021 ∗∗∗ --------------------------------------------- In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3e… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker ∗∗∗ --------------------------------------------- Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-5076338 ∗∗∗ Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories. --------------------------------------------- https://heise.de/-5076502 ∗∗∗ SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt ∗∗∗ --------------------------------------------- SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen. --------------------------------------------- https://heise.de/-5076543 ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf ∗∗∗ --------------------------------------------- 3MF Consortium’s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition. --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh). --------------------------------------------- https://lwn.net/Articles/848973/ ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0250 ∗∗∗ SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 and Jan 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IQ DCD vulnerability CVE-2021-22996 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16352404?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22995 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13155201?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22997 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34074377?utm_source=f5support&utm_mediu… ∗∗∗ F5 TMUI XSS vulnerability CVE-2021-22994 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K66851119?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23003 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43470422?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP ASM iControl REST vulnerability CVE-2021-23001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06440657?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55237223?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP TMM vulnerability CVE-2021-23000 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34441555?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP SNAT vulnerability CVE-2021-22998 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31934524?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-23005 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01243064?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23004 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31025212?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ XSS vulnerability CVE-2021-23006 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30585021?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP APM VPN vulnerability CVE-2021-23002 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71891773?utm_source=f5support&utm_mediu… ∗∗∗ TMM buffer-overflow vulnerability CVE-2021-22991 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56715231?utm_source=f5support&utm_mediu… ∗∗∗ TMUI authenticated remote command execution vulnerability CVE-2021-22988 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70031188?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2021-22999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_mediu… ∗∗∗ iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_mediu… ∗∗∗ glibc vulnerability CVE-2021-3326 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2021
by Daily end-of-shift report 09 Mar '21

09 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-03-2021 18:30 − Dienstag 09-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers ∗∗∗ --------------------------------------------- A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z0miner-botnet-hunts-for-unp… ∗∗∗ GitHub Fixed a Bug impacting Authenticated Sessions ∗∗∗ --------------------------------------------- Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user’s login session to the web browser of another logged-in user, [...] --------------------------------------------- https://heimdalsecurity.com/blog/github-fixes-bug/ ∗∗∗ Serious Security: Webshells explained in the aftermath of HAFNIUM attacks ∗∗∗ --------------------------------------------- Webshells explained, with some (safe) examples you can try at home if you want to learn more. --------------------------------------------- https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-expl… ∗∗∗ 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect [...] --------------------------------------------- https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html ∗∗∗ Fuzzing grub: part 1 ∗∗∗ --------------------------------------------- Recently a set of 8 vulnerabilities were disclosed for the grub bootloader. I found 2 of them (CVE-2021-20225 and CVE-2021-20233), and contributed a number of other fixes for crashing bugs which we dont believe are exploitable. I found them by applying fuzz testing to grub. Heres how. --------------------------------------------- https://sthbrx.github.io/blog/2021/03/04/fuzzing-grub-part-1/ ∗∗∗ Vorsicht vor betrügerischen Wohnungsinseraten im Facebook-Marketplace ∗∗∗ --------------------------------------------- Auch im Facebook-Marketplace werden Miet- und Eigentumswohnungen inseriert. Ist der Preis jedoch sehr günstig, sollten Sie vorsichtig sein, denn es könnte sich um Betrug handeln. Behaupten VermieterInnen, dass sie im Ausland sind und sie die Besichtigung und Übermittlung der Kaution über Airbnb abwickeln, können Sie eindeutig von Betrug ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-wohnung… ∗∗∗ Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning ∗∗∗ --------------------------------------------- We review vulnerabilities in dnsmasq, an open source DNS resolver, deep dive into DNS cache poisoning and describe effects on cloud products. --------------------------------------------- https://unit42.paloaltonetworks.com/overview-of-dnsmasq-vulnerabilities-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical Creative Cloud, Adobe Connect vulnerabilities ∗∗∗ --------------------------------------------- Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-creativ… ∗∗∗ Apple Plugs Severe WebKit Remote Code-Execution Hole ∗∗∗ --------------------------------------------- Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari. --------------------------------------------- https://threatpost.com/apple-webkit-remote-code-execution/164595/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd). --------------------------------------------- https://lwn.net/Articles/848835/ ∗∗∗ Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components ∗∗∗ --------------------------------------------- Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products. --------------------------------------------- https://www.securityweek.com/siemens-releases-several-advisories-vulnerabil… ∗∗∗ Synology-SA-21:11 Download Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_11 ∗∗∗ Synology-SA-21:10 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_10 ∗∗∗ SAP Security Patch Day - March 2021 ∗∗∗ --------------------------------------------- On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 ∗∗∗ Microsoft Exchange attacks: Now Microsoft rushes out a patch for these unsupported Exchange servers, too ∗∗∗ --------------------------------------------- Microsoft provides more patches for critical Exchange vulnerabilities that are being exploited widely on the internet. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rush… ∗∗∗ Squid: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0241 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0247 ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring returns potentially sensitive information in headers which could lead to further attacks against the system. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Google Protocol Buffers as used by IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-protocol-buffers-a… ∗∗∗ Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow – CVE-2021-20358 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-leakage-vulne… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in JAVA affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerability in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2021
by Daily end-of-shift report 08 Mar '21

08 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-03-2021 18:30 − Montag 08-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angriffe auf Exchange-Server – Microsoft stellt Prüf-Skript für Admins bereit ∗∗∗ --------------------------------------------- Sicherheitslücken im Exchange-Server ziehen derzeit Angriffe auf sich. Microsoft stellt ein Skript bereit, mit dem Administratoren ihre Systeme prüfen können. --------------------------------------------- https://heise.de/-5073827 ∗∗∗ A Basic Timeline of the Exchange Mass-Hack ∗∗∗ --------------------------------------------- Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Heres a brief timeline of what we know leading up to last weeks mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. --------------------------------------------- https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-h… ∗∗∗ Ransomware gang plans to call victims business partners about attacks ∗∗∗ --------------------------------------------- The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victims business partners to generate ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-cal… ∗∗∗ Spotting the Red Team on VirusTotal!, (Sat, Mar 6th) ∗∗∗ --------------------------------------------- Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! --------------------------------------------- https://isc.sans.edu/diary/rss/27174 ∗∗∗ The January/February 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Dependency confusion - when trust is too good to be true Water hacking - not a new trendy sport, but [...] --------------------------------------------- https://securityblog.switch.ch/2021/03/08/the-january-february-2021-issue-o… ∗∗∗ Domain dumpster diving ∗∗∗ --------------------------------------------- By Jaeson Schultz. Dumpster diving - searching through the trash looking for items of value - has long been a staple of hacking culture. In the 1995 movie "Hackers," Acid Burn and Crash Override are seen dumpster diving for information they can use to help them "hack the Gibson." Of course, not all trash is physical garbage located in a dumpster behind an office building. Some trash is virtual. --------------------------------------------- https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html ∗∗∗ Bazar Drops the Anchor ∗∗∗ --------------------------------------------- The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage [...] --------------------------------------------- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical 0-day in The Plus Addons for Elementor Allows Site Takeover ∗∗∗ --------------------------------------------- Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2). --------------------------------------------- https://lwn.net/Articles/848710/ ∗∗∗ Linux kernel vulnerability CVE-2019-18282 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32380005 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14779,CVE-2020-14796, CVE-2020-14797,CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's provider org registration flow is vulnerable to impersonation and sensitive information leak. CVE-2020-4903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-provider… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via Node.js (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: IBM API Connect V10 is impacted by insecure communications during database replication (CVE-2020-4695) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v10-is-im… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to an RCE attack (CVE-2020-5014) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2021
by Daily end-of-shift report 05 Mar '21

05 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-03-2021 18:30 − Freitag 05-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft: Exchange updates can install without fixing vulnerabilities ∗∗∗ --------------------------------------------- Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-c… ∗∗∗ D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant ∗∗∗ --------------------------------------------- A new variant of the Gafgyt botnet - thats actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say. --------------------------------------------- https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ ∗∗∗ QNAP NAS users, make sure you check your system ∗∗∗ --------------------------------------------- On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities. --------------------------------------------- https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ∗∗∗ Spam Farm Spotted in the Wild, (Fri, Mar 5th) ∗∗∗ --------------------------------------------- If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. --------------------------------------------- https://isc.sans.edu/diary/rss/27170 ∗∗∗ Kampf der Excel-Schadsoftware: AMSI gegen verseuchten XML-Code ∗∗∗ --------------------------------------------- Microsoft baut sein Antimalware Scan Interface (AMSI) aus. Neben VBA- kann es jetzt auch XML-Code scannen. --------------------------------------------- https://heise.de/-5073364 ∗∗∗ QNAPCrypt and SunCrypt Ransomware Connection ∗∗∗ --------------------------------------------- Intezer has published a blog posting that provides an analysis of the connections between the QNAPCrypt and SunCrypt ransomware. SunCrypt is affiliate ransomware service while QNAPCrypt surfaced in 2019 and was used to target devices from QNAP and Synology. The analysis concludes that the current SunCrypt ransomware shares many similarities [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75ee68a919cad9c434c63bfb0e3… ∗∗∗ GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence ∗∗∗ --------------------------------------------- Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM - the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Acht neue Schwachstellen im Bootloader ∗∗∗ --------------------------------------------- Die Entwickler von Grub 2 haben mehrere Lücken gemeldet. Einige davon können erneut Secure Boot aushebeln, was den Update-Prozess deutlich verkompliziert. --------------------------------------------- https://heise.de/-5073481 ∗∗∗ Benchmarking-Tool VMware View Planner ist für Schadcode anfällig ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware View Planner. Unter bestimmten Voraussetzungen könnten Angreifer eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5073000 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa). --------------------------------------------- https://lwn.net/Articles/848416/ ∗∗∗ Supermicro, Pulse Secure Respond to Trickbots Ability to Target Firmware ∗∗∗ --------------------------------------------- Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware. --------------------------------------------- https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-abil… ∗∗∗ ICS-CERT Advisories March 04 2021 ∗∗∗ --------------------------------------------- The ICS-CERT has published 2 advisories that affect Rockwell Automation 1734-AENTR Series B and Series C, and Schneider Electric EcoStruxure Building Operation (EBO). Further information is available from the advisories which are summarised below. https://us-cert.cisa.gov/ics/advisories/icsa-21-063-01 https://us-cert.cisa.gov/ics/advisories/icsa-21-063-02 --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/32af714c7074693f32dfa23b263… ∗∗∗ BIND vulnerability CVE-2020-8625 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13591074?utm_source=f5support&utm_mediu… ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0238 ∗∗∗ Security Bulletin: Google-api-client as used by IBM QRadar SIEM is vulnerable to authorization bypass (CVE-2020-7692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (March 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2021
by Daily end-of-shift report 04 Mar '21

04 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-03-2021 18:30 − Donnerstag 04-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researcher bitsquats Microsofts windows.com to steal traffic ∗∗∗ --------------------------------------------- A researcher was able to bitsquat Microsofts windows.com domain by cybersquatting variations of windows.com. Adversaries can abuse this tactic to conduct automated attacks or collect data due to the nature of bit flipping. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microso… ∗∗∗ Trojan Spyware and BEC Attacks ∗∗∗ --------------------------------------------- When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more [...] --------------------------------------------- https://blog.sucuri.net/2021/03/trojan-spyware-and-bec-attacks.html ∗∗∗ Cybercriminals Finding Ways to Bypass 3D Secure Fraud Prevention System ∗∗∗ --------------------------------------------- Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions. --------------------------------------------- https://www.securityweek.com/cybercriminals-finding-ways-bypass-3d-secure-f… ∗∗∗ Kryptowährung einzahlen und das Doppelte zurückerhalten? FAKE! ∗∗∗ --------------------------------------------- Die Watchlist Internet sowie die Internet Ombudsstelle erhalten immer häufiger Nachrichten verzweifelter KonsumentInnen. Sie bezahlen hohe Beträge in Kryptowährungen wie Bitcoin, Ethereum oder Ripple auf betrügerischen Plattformen ein, die eine Rückzahlung des Doppelten oder eines Vielfachen des Betrags versprechen. Jegliche Einzahlung ist verloren und das Geld kann nicht mehr zurückgeholt werden! --------------------------------------------- https://www.watchlist-internet.at/news/kryptowaehrung-einzahlen-und-das-dop… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows DNS SIGRed bug gets first public RCE PoC exploit ∗∗∗ --------------------------------------------- A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-… ∗∗∗ D-Link: Update für Wireless Access Point DAP-2020 beseitigt drei Schwachstellen ∗∗∗ --------------------------------------------- Ein wichtiges Firmware-Update beseitigt Angriffsmöglichkeiten aus benachbarten Netzwerken ohne Authentifizierung. --------------------------------------------- https://heise.de/-5071286 ∗∗∗ XSA-367 - Linux: netback fails to honor grant mapping errors ∗∗∗ --------------------------------------------- A malicious or buggy networking frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. In a typical (non-disaggregated) system that is a host-wide denial of service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-367.html ∗∗∗ XSA-369 - Linux: special config may crash when trying to map foreign pages ∗∗∗ --------------------------------------------- A Dom0 or driver domain based on a Linux kernel (configured as described above) can be crashed by a malicious guest administrator, or possibly malicious unprivileged guest processes. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-369.html ∗∗∗ Critical Vulnerability Patched in WooCommerce Upload Files ∗∗∗ --------------------------------------------- On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-wo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/848223/ ∗∗∗ High severity Linux network security holes found, fixed ∗∗∗ --------------------------------------------- This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available. --------------------------------------------- https://www.zdnet.com/article/linux-network-security-holes-found-fixed/ ∗∗∗ Shodan Verified Vulns 2021-03-01 ∗∗∗ --------------------------------------------- Ein weiteres Monat ist vorbei und wir werfen wieder einen Blick auf die Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-03-01 ergibt sich folgendes Bild: Zum Vormonat hat sich damit fast gar nichts verändert, nur der Gastauftritt von CVE-2019-19781 a.k.a. "Shitrix" im Jänner ist anscheinend wieder vorbei. Eine Übersicht und weiterführende Links zu allen "Verified Vulnerabilities", die Shodan in Österreich gefunden hat, findet [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/shodan-verified-vulns-2021-03-01 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11 ( CVE-2020-7788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a systemd vulnerability (CVE-2019-20386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libexpat vulnerabilities (CVE-2018-20843, CVE-2019-15903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libxslt vulnerabilities (CVE-2019-11068, CVE-2019-18197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2021
by Daily end-of-shift report 03 Mar '21

03 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-03-2021 18:00 − Mittwoch 03-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Qakbot infection with Cobalt Strike, (Wed, Mar 3rd) ∗∗∗ --------------------------------------------- On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. --------------------------------------------- https://isc.sans.edu/diary/rss/27158 ∗∗∗ Qualys hit with ransomware: Customer invoices leaked on extortionists Tor blog ∗∗∗ --------------------------------------------- Ace infosec biz aware and investigating, were told Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/03/03/qualys_ranso… ∗∗∗ „Urlaubsguru ReiseWelt“ bewirbt Fake-Reiseangebote auf Facebook und Instagram ∗∗∗ --------------------------------------------- 12 Nächte Malediven oder zwei Wochen Thailand? Und das zu einem unschlagbaren Preis und mit der Versicherung 48 Stunden vor der Reise kostenlos stornieren zu können? Das klingt zu gut, um wahr zu sein? Ist es in diesem Fall auch. Auf Facebook und Instagram bewirbt der betrügerische Anbieter „Urlaubsguru ReiseWelt“ unglaubliche Angebote. Doch statt der versprochenen Traumreise, wird Ihnen nur das Geld gestohlen. --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsguru-reisewelt-bewirbt-fake-r… ∗∗∗ Threat Actor Group Cloud Atlas Tracked by DomainTools Researchers ∗∗∗ --------------------------------------------- Researchers from DomainTools continue to see an APT group known as Cloud Atlas (also known as Inception) run campaigns which primarily focus on targeting countries formerly part of the Soviet Union with an emphasis on energy and political themes. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/ca6c08f0161ffd21cad662b80fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Android-Patchday: Kritische Remote-Sicherheitslücke aus Betriebssystem beseitigt ∗∗∗ --------------------------------------------- Zum Patchday im März hat Google unter anderem mehrere kritische Sicherheitslücken aus Android entfernt. Pixel-Geräte erhalten zahlreiche Zusatz-Patches. --------------------------------------------- https://heise.de/-5070821 ∗∗∗ Medium Severity Vulnerability Patched in User Profile Picture Plugin ∗∗∗ --------------------------------------------- On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information. --------------------------------------------- https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patche… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa). --------------------------------------------- https://lwn.net/Articles/848089/ ∗∗∗ Kritische Sicherheitslücken in Microsoft Exchange Server - Patches verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des üblichen Update-Zyklus mehrere Patches für Microsoft Exchange zur Verfügung gestellt. Einige der darin behobenen Sicherheitslücken werden nach Angaben von Microsoft und der IT-Sicherheits-Firma Volexity bereits aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/warnungen/2021/3/kritische-sicherheitslucken-in-microsof… ∗∗∗ Side Channel Key Extraction Vulnerability in Bosch IP Cameras and Encoders ∗∗∗ --------------------------------------------- BOSCH-SA-762869-BT: A recently discovered side channel attack for the NXP P5x security microcontrollers was made public. It allows attackers to extract an ECDSA private key after extensive physical access to the chip. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-762869-bt.html ∗∗∗ Cisco Security Advisories - March 3rd, 2021 ∗∗∗ --------------------------------------------- Cisco has published thirteen Security Advisories. Of the advisories, one is rated as High and twelve are rated as Medium. For all advisories listed below, it is noted that Ciscos Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities" [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/a3892fab975bdb6f39d025581db… ∗∗∗ SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000285675 ∗∗∗ Security Bulletin: IBM Security Verify Bridge uses a hard-coded key to encrypt the client secret (CVE-2021-20442) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridg… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js proxy library that has a known vulnerability (183561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Security Verify Bridge uses relatively weak cryptographic algorithms in two of its functions (CVE-2021-20441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridg… ∗∗∗ Security Bulletin: Android Mobile SDK compile builder includes vulnerable components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-android-mobile-sdk-compil… ∗∗∗ VMSA-2021-0003 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0003.html ∗∗∗ Linux nfsd kernel vulnerability CVE-2020-24394 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04553557?utm_source=f5support&utm_mediu… ∗∗∗ Hitachi ABB Power Grids Ellipse EAM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-01 ∗∗∗ Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-02 ∗∗∗ MB connect line mbCONNECT24, mymbCONNECT24 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2021
by Daily end-of-shift report 02 Mar '21

02 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-03-2021 18:00 − Dienstag 02-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ European e-ticketing platform Ticketcounter extorted in data breach ∗∗∗ --------------------------------------------- A Dutch e-Ticketing platform has suffered a data breach after a user database containing 1.9 million unique email addresses was stolen from an unsecured staging server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-e-ticketing-platfor… ∗∗∗ Bruce Schneier: Auch das Wirtschaftssystem trägt Schuld am Solarwinds-Hack ∗∗∗ --------------------------------------------- Mit schlechter IT-Sicherheit würden Gewinne gemacht, während Verbraucher und Gesellschaft die Risiken trügen. Das muss sich laut Schneier ändern. --------------------------------------------- https://www.golem.de/news/bruce-schneier-auch-das-wirtschaftssystem-traegt-… ∗∗∗ Inside the Ransomware Economy ∗∗∗ --------------------------------------------- The trouble with ransomware is well known at this point. From Egregor to Doppelpaymer to Ryuk, it continues to command headlines. Pandemic-fueled phishing scams, the lack of visibility across remote endpoints, and lax attitudes have been a boon for ransomware groups over the last year. Worst of all, ransomware no longer discriminates. It dominates small towns and municipal offices, video game makers, and shamelessly, healthcare organizations and school systems already pushed to the brink by the COVID-19 pandemic. The threat could still become more pervasive over the next two to three years, not because ransomware is effective in and of itself but because of other players in the game - insurance companies, brokers, and even attorneys - that continue to fan the flames. --------------------------------------------- https://www.securityweek.com/inside-ransomware-economy ∗∗∗ Einreiseanmeldung für Deutschland nicht über „digitale-einreiseanmeldung.de“ vornehmen ∗∗∗ --------------------------------------------- Die Corona-Pandemie erschwert die Einreise in andere Länder erheblich. Für eine Reise nach Deutschland muss beispielsweise unter Umständen zuvor eine digitale Einreisanmeldung vorgenommen werden. Bei der Recherche über Einreisebestimmungen stoßen Reisende jedoch oftmals auf unseriöse Websites, die die digitale Einreisanmeldung kostenpflichtig anbieten. Nehmen Sie von kostenpflichtigen Angeboten zur Einreiseanmeldung Abstand. Es ist unklar, ob diese Anbieter Ihre [...] --------------------------------------------- https://www.watchlist-internet.at/news/einreiseanmeldung-fuer-deutschland-n… ∗∗∗ Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns ∗∗∗ --------------------------------------------- Cybercriminals use fast flux to maintain uptime for malicious activities. We show how it works in a fictional scenario and real-world case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/fast-flux-101/ ∗∗∗ Povlsomware Ransomware ∗∗∗ --------------------------------------------- Povlsomware markets itself as a proof-of-concept (POC) ransomware designed to test security vendor products. Trend Micro reports on some interesting capabilities associated with the malware. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e7d232e9df181a3c873c3eaeb56… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin - March 2021 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2021-03-01 ∗∗∗ Zehn Sicherheitslücken in Server-Konfigurationssoftware Saltstack geschlossen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Serversoftware Saltstack. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-5069120 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/847944/ ∗∗∗ Joomla! Security Announcements ∗∗∗ --------------------------------------------- [20210301] - Core - Insecure randomness within 2FA secret generation https://developer.joomla.org:443/security-centre/841-20210301-core-insecure… [20210302] - Core - Potential Insecure FOFEncryptRandval https://developer.joomla.org:443/security-centre/842-20210302-core-potentia… [20210303] - Core - XSS within alert messages showed to users https://developer.joomla.org:443/security-centre/843-20210303-core-xss-with… [20210304] - Core - XSS within the feed parser library https://developer.joomla.org:443/security-centre/844-20210304-core-xss-with… [20210305] - Core - Input validation within the template manager https://developer.joomla.org:443/security-centre/845-20210305-core-input-va… [20210306] - Core - com_media allowed paths that are not intended for image uploads https://developer.joomla.org:443/security-centre/846-20210306-core-com-medi… [20210307] - Core - ACL violation within com_content frontend editing https://developer.joomla.org:443/security-centre/847-20210307-core-acl-viol… [20210308] - Core - Path Traversal within joomla/archive zip class https://developer.joomla.org:443/security-centre/848-20210308-core-path-tra… [20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field https://developer.joomla.org:443/security-centre/849-20210309-core-inadequa… --------------------------------------------- https://developer.joomla.org/security-centre.html ∗∗∗ Linux NFS kernel vulnerablity CVE-2020-25212 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42355373 ∗∗∗ [webapps] Tiny Tiny RSS - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49606 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center has addressed multiple vulnerabilities (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: Datacap Taskmaster Capture is affected by vulnerable to AppScan's SSLv3 Client Hello with CBC cipher suites that contain TLS_FALLBACK_SCSV ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-captur… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2021
by Daily end-of-shift report 01 Mar '21

01 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-02-2021 18:00 − Montag 01-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ryuk ransomware now self-spreads to other Windows LAN devices ∗∗∗ --------------------------------------------- A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spr… ∗∗∗ Mobile malware evolution 2020 ∗∗∗ --------------------------------------------- In 2020, Kaspersky mobile products and technologies detected 156,710 new mobile banking Trojans and 20,708 new mobile ransomware Trojans. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2020/101029/ ∗∗∗ Maldocs: Protection Passwords, (Sun, Feb 28th) ∗∗∗ --------------------------------------------- In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/27146 ∗∗∗ Top 5 der simpelsten und effektivsten Maßnahmen, um Hackerangriffen vorzubeugen ∗∗∗ --------------------------------------------- Ganz egal mit welcher Art von Angreifer man es zu tun hat, die Schritte von der initialen Kompromittierung bis hin zur vollständigen "Domain Dominance" folgen gleichen Mustern. --------------------------------------------- https://sec-consult.com/de/blog/detail/top-5-der-simpelsten-und-effektivste… ∗∗∗ Akute Angriffswelle auf Fritzbox-Nutzer, jetzt handeln! ∗∗∗ --------------------------------------------- Mysteriöse Zugriffsversuche von der IP-Adresse 185.232.52.55 verunsichern derzeit zahlreiche Fritzbox-Nutzer. Schützen Sie Ihren Router vor der Angriffswelle. --------------------------------------------- https://heise.de/-5068111 ∗∗∗ New ICS Threat Activity Group: KAMACITE ∗∗∗ --------------------------------------------- The new KAMACITE activity group represents a long-running set of related behaviors targeting electric utilities, oil and gas operations, and various manufacturing since at least 2014. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kam… ∗∗∗ Free cybersecurity tool aims to help smaller businesses stay safer online ∗∗∗ --------------------------------------------- NCSC tool aims to help small businesses develop a strategy to protect themselves from cyber crime. --------------------------------------------- https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-… ∗∗∗ Laravel Apps Leaking Secrets ∗∗∗ --------------------------------------------- An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. --------------------------------------------- https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/ ∗∗∗ Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures ∗∗∗ --------------------------------------------- New versions of the MINEBRIDGE RAT were discovered and analyzed by Zscaler researchers. Their findings on the TTPs, attribution, C2 infrastructure, and attack flow are published in a recent blog. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/256c2e722c138ff5a1a711314fc… ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Schwachstelle in Genua GenuGate High Resistance Firewall ∗∗∗ --------------------------------------------- Die Genua GenuGate High Resistance Firewall ist von einer kritischen Authentication Bypass Schwachstelle betroffen. Ein unauthentifizierter Angreifer kann sich durch Manipulation bestimmter HTTP POST Parameter beim Login als beliebiger Benutzer im Admin-Webinterface, Sidechannel Web und Userweb Interface, anmelden und somit die höchsten Rechte (root) erlangen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Google shares PoC exploit for critical Windows 10 Graphics RCE bug ∗∗∗ --------------------------------------------- Project Zero, Googles 0day bug-hunting team, shared technical details and proof-of-concept (PoC) exploit code for a critical remote code execution (RCE) bug affecting a Windows graphics component. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-shares-poc-exploit-fo… ∗∗∗ D-LinkGATE Remote Code Execution ∗∗∗ --------------------------------------------- CVE-Nummern: CVE-2021-27249, CVE-2021-27250 Product: DAP-2020 (Since the vulnerability affects a core component further models might be subject to this vulnerability) Vulnerabilities: - Blind RCE - Blind RCE to full RCE escalation - Log Injection - Arbitrary File Read - Arbitrary File upload - LPE [...] --------------------------------------------- https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint). --------------------------------------------- https://lwn.net/Articles/847778/ ∗∗∗ Minion privilege escalation exploit patched in SaltStack Salt project ∗∗∗ --------------------------------------------- The bug permitted attackers to perform privilege escalation attacks in the automation software. --------------------------------------------- https://www.zdnet.com/article/minion-hijacking-flaw-patched-in-saltstack-sa… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2021
by Daily end-of-shift report 26 Feb '21

26 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-02-2021 18:00 − Freitag 26-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ So where did those Satori attacks come from?, (Thu, Feb 25th) ∗∗∗ --------------------------------------------- Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on port 26. --------------------------------------------- https://isc.sans.edu/diary/rss/27140 ∗∗∗ SQL Triggers in Website Backdoors ∗∗∗ --------------------------------------------- Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables — for example, wp_users, wp_options, and wp_posts. --------------------------------------------- https://blog.sucuri.net/2021/02/sql-triggers-in-website-backdoors.html ∗∗∗ ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process ∗∗∗ --------------------------------------------- Researchers have uncovered gaps in Amazons skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. --------------------------------------------- https://thehackernews.com/2021/02/alert-malicious-amazon-alexa-skills-can.h… ∗∗∗ So Unchill: Melting UNC2198 ICEDID to Ransomware Operations ∗∗∗ --------------------------------------------- Since its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target banking credentials. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid… ∗∗∗ SilentFade virus strikes, Cyberstalking and Ransom user ∗∗∗ --------------------------------------------- Recently, 360 Security Center monitored that the SlientFade virus was bundled with pirated software to spread. The infected users were mainly distributed in Malaysia, India, [...] --------------------------------------------- https://blog.360totalsecurity.com/en/silentfade-virus-strikes-cyberstalking… ∗∗∗ Microsoft Releases Open Source Resources for Solorigate Threat Hunting ∗∗∗ --------------------------------------------- Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack. --------------------------------------------- https://www.securityweek.com/microsoft-releases-open-source-resources-solor… ∗∗∗ Kettenbrief-Alarm: Angebliches Amazon-Gewinnspiel macht auf WhatsApp die Runde! ∗∗∗ --------------------------------------------- Auf WhatsApp wird derzeit ein Link verschickt mit einem Gewinn-Versprechen anlässlich des angeblichen 30-Jahr-Jubiläums von Amazon. Wir haben uns die Nachricht und den Link genauer angeschaut. Unser Fazit: Es handelt sich um einen klassischen Kettenbrief. Gewinn erhalten Sie dabei keinen, stattdessen müssen Sie eine gefährliche App herunterladen. --------------------------------------------- https://www.watchlist-internet.at/news/kettenbrief-alarm-angebliches-amazon… ∗∗∗ Go malware is now common, having been adopted by both APTs and e-crime groups ∗∗∗ --------------------------------------------- There's been a 2,000% increase of new malware written in Go over the past few years. --------------------------------------------- https://www.zdnet.com/article/go-malware-is-now-common-having-been-adopted-… ∗∗∗ New Phishing Attack Using Malformed URL Prefixes ∗∗∗ --------------------------------------------- GreatHorn reports on a phishing technique that leverages malformed URL prefixes to bypass security scanners. Many security scanners use pattern recognition to identify URLs, thus expecting the presence of "http://" to identify them. However, the URL specification technically does not require the "//" in order to visit a URL. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c52464bd46eb48e4c5741df9e1b… ===================== = Vulnerabilities = ===================== ∗∗∗ Google looks at bypass in Chromiums ASLR security defense, throws hands up, wont patch garbage issue ∗∗∗ --------------------------------------------- In early November, a developer contributing to Googles open-source Chromium project reported a problem with Oilpan, the garbage collector for the browsers Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_… ∗∗∗ Security Advisory for Multiple Vulnerabilities on Some Routers, Satellites, and Extenders ∗∗∗ --------------------------------------------- NETGEAR has released fixes for multiple security vulnerabilities on the following product models: BR200, running firmware versions prior to 5.10.0.5 BR500, running firmware versions prior to 5.10.0.5 D7800, running firmware versions prior to 1.0.1.60 EX6100v2, running firmware versions prior to 1.0.1.98 EX6150v2, running firmware versions prior to 1.0.1.98 EX6250, running firmware versions prior to 1.0.0.134 EX6400, running firmware versions prior to 1.0.2.158 EX6400v2, running firmware versions prior to 1.0.0.134 EX6410, running firmware versions prior to 1.0.0.134 EX6420, running firmware versions prior to 1.0.0.134 EX7300, running firmware versions prior to 1.0.2.158 EX7300v2, running firmware versions prior to 1.0.0.134 EX7320, running firmware versions prior to 1.0.0.134 EX7700, running firmware versions prior to 1.0.0.216 EX8000, running firmware versions prior to 1.0.1.232 LBR20, running firmware versions prior to 2.6.3.50 R7800, running firmware versions prior to 1.0.2.80 R8900, running firmware versions prior to 1.0.5.28 R9000, running firmware versions prior to 1.0.5.28 RBK12, running firmware versions prior to 2.7.2.104 RBK13, running firmware versions prior to 2.7.2.104 RBK14, running firmware versions prior to 2.7.2.104 RBK15, running firmware versions prior to 2.7.2.104 RBK20, running firmware versions prior to 2.6.2.104 RBK23, running firmware versions prior to 2.7.2.104 RBK40, running firmware versions prior to 2.6.2.104 RBK43, running firmware versions prior to 2.6.2.104 RBK43S, running firmware versions prior to 2.6.2.104 RBK44, running firmware versions prior to 2.6.2.104 RBK50, running firmware versions prior to 2.7.2.104 RBK53, running firmware versions prior to 2.7.2.104 RBR10, running firmware versions prior to 2.6.2.104 RBR20, running firmware versions prior to 2.6.2.104 RBR40, running firmware versions prior to 2.6.2.104 RBR50, running firmware versions prior to 2.7.2.104 RBS10, running firmware versions prior to 2.6.2.104 RBS20, running firmware versions prior to 2.6.2.104 RBS40, running firmware versions prior to 2.6.2.104 RBS50, running firmware versions prior to 2.7.2.104 RBS50Y, running firmware versions prior to 2.6.2.104 XR450, running firmware versions prior to 2.3.2.114 XR500, running firmware versions prior to 2.3.2.114 XR700, running firmware versions prior to 1.0.1.38 NETGEAR strongly recommends that you download the latest firmware as soon as possible. --------------------------------------------- https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabili… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff). --------------------------------------------- https://lwn.net/Articles/847581/ ∗∗∗ PerFact OpenVPN-Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-01 ∗∗∗ Fatek FvDesigner ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in Fatek FvDesigner software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-02 ∗∗∗ Rockwell Automation Logix Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 ∗∗∗ ProSoft Technology ICX35 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04 ∗∗∗ GeNUA GeNUGate: Nicht spezifizierte Schwachstelle ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0217 ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26950) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14779, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – OpenSSL (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15683) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15677) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26951) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is using opensaml-2.6.4.jar that could be vulnerable to bypass security restrictions (CVE-2015-1796) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2021
by Daily end-of-shift report 25 Feb '21

25 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-02-2021 18:00 − Donnerstag 25-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Attackers scan for vulnerable VMware servers after PoC exploit release ∗∗∗ --------------------------------------------- After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerabl… ∗∗∗ Lazarus targets defense industry with ThreatNeedle ∗∗∗ --------------------------------------------- In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns. --------------------------------------------- https://securelist.com/lazarus-threatneedle/100803/ ∗∗∗ Forensicating Azure VMs, (Thu, Feb 25th) ∗∗∗ --------------------------------------------- With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm. --------------------------------------------- https://isc.sans.edu/diary/rss/27136 ∗∗∗ Cisco schließt drei kritische, aus der Ferne ausnutzbare Sicherheitslücken ∗∗∗ --------------------------------------------- Jetzt updaten: Im ACI Multi-Site Orchestrator (MSO), in der Application Services Engine und in Nexus-Switches klaff(t)en Remote-Lücken mit "Critical"-Wertung. --------------------------------------------- https://heise.de/-5065055 ∗∗∗ Babuk Ransomware ∗∗∗ --------------------------------------------- Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/ ∗∗∗ DarkWorld Ransomware ∗∗∗ --------------------------------------------- Recently, 360 Security Center detected a ransomware that disguised commonly used software and appeared on the network. The virus called itself DarkWorld in the [...] --------------------------------------------- https://blog.360totalsecurity.com/en/darkworld-ransomware/ ∗∗∗ Vorsicht: Beim Shoppen auf falinas.com, falinas.de und falinas.at schließen Sie ein Abo ab! ∗∗∗ --------------------------------------------- Derzeit erreichen uns zahlreiche Meldungen, die vor dem Online-Shop falinas.com warnen. Der Online-Shop ist auch unter falinas.de und falinas.at erreichbar. Die Masche ist auf allen Seiten die gleiche. Man kauft eine der vielen Marken-Beautyprodukte zu einem günstigen Preis. Erst später bemerken die KonsumentInnen, dass sie damit ein teures Abo abgeschlossen haben. Wir empfehlen: Lassen Sie lieber die Finger von falinas.com. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-shoppen-auf-falinascom… ∗∗∗ This chart shows the connections between cybercrime groups ∗∗∗ --------------------------------------------- CrowdStrike puts together a list of connections and how cybercrime groups cooperate with each other. --------------------------------------------- https://www.zdnet.com/article/this-chart-shows-the-connections-between-cybe… ∗∗∗ Google Mail Merge Impersonation ∗∗∗ --------------------------------------------- A recent phishing campaign detected by Abnormal Security attempts to steal Outlook credentials through a Google Mail merge lure. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/eaf477f5b5f77df91462fd850ef… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, [...] --------------------------------------------- https://lwn.net/Articles/847390/ ∗∗∗ Node.js vulnerability CVE-2020-8277 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K07944249 ∗∗∗ Security Bulletin: Vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-linux-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14803, CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: Multiple IBM Java Runtime Vulnerabilities Affect IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-java-runtime… ∗∗∗ Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-filenet-content-manag… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnera… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2021
by Daily end-of-shift report 24 Feb '21

24 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-02-2021 18:00 − Mittwoch 24-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Finnish IT services giant TietoEVRY discloses ransomware attack ∗∗∗ --------------------------------------------- Finnish IT services giant TietoEVRY has suffered a ransomware attack that forced them to disconnect clients services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/finnish-it-services-giant-ti… ∗∗∗ Cyberkriminelle attackieren Krankenhäuser und Impfstoffhersteller ∗∗∗ --------------------------------------------- Die Corona-Pandemie wurde von Kriminellen genutzt, um Geld zu erpressen. Auch die Impfstoff-Lieferketten gerieten ins Visier. --------------------------------------------- https://futurezone.at/digital-life/ransomware-angriffe-auf-krankenhaeuser-n… ∗∗∗ Microsoft Lures Populate Half of Credential-Swiping Phishing Emails ∗∗∗ --------------------------------------------- As more organizations migrate to Office 365, cybercriminals are using Outlook, Teams and other Microsoft-themed phishing lures to swipe user credentials. --------------------------------------------- https://threatpost.com/microsoft-lures-credential-swiping-phishing-emails/1… ∗∗∗ Malspam pushes GuLoader for Remcos RAT, (Wed, Feb 24th) ∗∗∗ --------------------------------------------- Malicious spam (malspam) pushing GuLoader malware has been around for over a year now. GuLoader is a file downloader first observed in December 2019, and it has been used to distribute a wide variety of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/27132 ∗∗∗ Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks ∗∗∗ --------------------------------------------- New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks to deliver malware and exploit the accounting software. --------------------------------------------- https://thehackernews.com/2021/02/experts-warns-of-notable-increase-in.html ∗∗∗ 2020 ICS Cybersecurity Year in Review ∗∗∗ --------------------------------------------- The Dragos YIR report is an annual analysis of ICS/OT focused cyber threats, vulnerabilities, assessments, and incident response insights. --------------------------------------------- https://www.dragos.com/blog/industry-news/2020-ics-cybersecurity-year-in-re… ∗∗∗ New LazyScripter Hacking Group Targets Airlines ∗∗∗ --------------------------------------------- A recently identified threat actor that remained unnoticed for roughly two years appears focused on the targeting of airlines that are using the BSPLink financial settlement software made by the International Air Transport Association (IATA). --------------------------------------------- https://www.securityweek.com/new-lazyscripter-hacking-group-targets-airlines ∗∗∗ An Analysis of MassLogger v3 ∗∗∗ --------------------------------------------- Researchers from Avast have published a report on their analysis of the MassLogger v3 infostealing malware. The analysis focuses on the obfuscation of the final payload. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/8f1c8a4c335e11921fdc7a3f520… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Kritische Lücke aus VMware ESXi und vCenter Server beseitigt ∗∗∗ --------------------------------------------- Drei Sicherheitslücken mit Einstufungen von "Moderate" bis "Critical" betreffen neben ESXi und vCenter Server indirekt auch Cloud Foundation. Es gibt Updates. --------------------------------------------- https://heise.de/-5063860 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (firefox and tor), Oracle (stunnel and xterm), Red Hat (virt:8.2 and virt-devel:8.2 and xterm), SUSE (avahi, gnuplot, java-1_7_0-ibm, and pcp), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/847240/ ∗∗∗ Cisco Security Advisories 2021-02-24 ∗∗∗ --------------------------------------------- 3 Critical, 4 High, 5 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Privilege Escalation via sudo and Linux kernel in Bosch Rexroth Products ∗∗∗ --------------------------------------------- BOSCH-SA-372917: Linux kernel versions through 5.10.11 contain weaknesses which allow local users to execute code in the kernel with the potential to escalate privileges. The ctrlX CORE and the IoT Gateway both are shipped with vulnerable versions of those components. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-372917.html ∗∗∗ ZDI-21-249: (Pwn2Own) NETGEAR Nighthawk R7800 Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-249/ ∗∗∗ ZDI-21-248: (Pwn2Own) NETGEAR R7800 udchpd DHCP_REQUEST Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-248/ ∗∗∗ ZDI-21-247: NETGEAR Nighthawk R7800 ready-genie-cloud Insecure Download of Critical Component Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-247/ ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210218-… ∗∗∗ Security Advisory - Use After Free Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Bulletin: Clickjacking vulnerability identified in IBM Dependency Based Build server web UI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-clickjacking-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14797, CVE-2020-14779, CVE-2020-14796) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nodemailer module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple CVEs – Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabili… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus (CVE-2020-7760) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: OpenLDAP publicly disclosed vulnerabilities affects MessageGateway (CCVE-2020-36230, CVE-2020-36229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openldap-publicly-disclos… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to cookie spoofing (CVE-2019-12749) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nodemailer module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Rockwell Automation FactoryTalk Services Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-01 ∗∗∗ Advantech BB-ESWGP506-2SFP-T ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02 ∗∗∗ Advantech Spectre RT Industrial Routers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2021
by Daily end-of-shift report 23 Feb '21

23 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-02-2021 18:00 − Dienstag 23-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Achtung: Gefälschtes E-Mail von A1 über eine Belohnung für Mobilpoints führt in Abo-Falle ∗∗∗ --------------------------------------------- „Seit Sie unsere Dienste nutzen, haben Sie 29.039 Mobilpoints gesammelt. Dank dieser erhalten Sie als Belohnung ein Smartphone.“ Dieses Angebot wird angeblich von A1 per E-Mail unterbreitet. Doch Vorsicht: Dieses E-Mail stammt von Kriminellen. Wer diesem vermeintlichen Angebot Glauben schenkt und die Liefergebühren bezahlt, tappt in eine teure Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-gefaelschtes-e-mail-von-a1-u… ∗∗∗ Lessons Learned from SUNBURST for Threat Hunters ∗∗∗ --------------------------------------------- Practical advice from the DomainTools research team on how to approach adversary-based threat hunting, asset management, and incident response in the wake of the SUNBURST campaign. --------------------------------------------- https://www.domaintools.com/resources/blog/lessons-learned-from-sunburst-fo… ∗∗∗ Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd) ∗∗∗ --------------------------------------------- I wanted to take a look at Brad's malicious spreadsheet, using Excel inside a VM. --------------------------------------------- https://isc.sans.edu/diary/rss/27126 ∗∗∗ Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd) ∗∗∗ --------------------------------------------- Given its history, the Full Disclosure mailing list[1] is probably one of the best-known places on the internet where information about newly discovered vulnerabilities is may be published in a completely open way. If one wishes to inform the wider security community about a vulnerability one found in any piece of software, one only has to submit a post and after it is evaluated by the moderators, the information will be published to the list. --------------------------------------------- https://isc.sans.edu/diary/rss/27130 ∗∗∗ Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs ∗∗∗ --------------------------------------------- Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents. Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain [...] --------------------------------------------- https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html ∗∗∗ New article: Decompiling Excel Formula (XF) 4.0 malware ∗∗∗ --------------------------------------------- In a new article, researcher Kurt Natvig takes a close look at XF 4.0 malware. --------------------------------------------- https://www.virusbulletin.com/blog/2021/02/new-article-decompiling-excel-fo… ∗∗∗ Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion ∗∗∗ --------------------------------------------- Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploite… ∗∗∗ Checkout Skimmers Powered by Chip Cards ∗∗∗ --------------------------------------------- Easily the most sophisticated skimming devices made for hacking terminals at retail self-checkout lanes are a new breed of PIN pad overlay combined with a flexible, paper-thin device that fits inside the terminals chip reader slot. What enables these skimmers to be so slim? They draw their power from the low-voltage current that gets triggered when a chip-based card is inserted. As a result, they do not require external batteries, and can remain in operation indefinitely. --------------------------------------------- https://krebsonsecurity.com/2021/02/checkout-skimmers-powered-by-chip-cards/ ∗∗∗ Clop targets execs, ransomware tactics get another new twist ∗∗∗ --------------------------------------------- Clops targeting of executives workstations is the latest in a string of recent innovations in ransomware. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-… ∗∗∗ UK Banks 2FA Being Bypassed ∗∗∗ --------------------------------------------- Akamai and Cyjax have published reports on a campaign that is bypassing 2FA in order to employ a multi-part phishing kit. Functionality of this kit does not behave as typically expected. This particular phishing kit uses a centralized control panel, a departure from typical phishing operations. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75c736c5e365bdd5636268f9815… ===================== = Vulnerabilities = ===================== ∗∗∗ Browser-Updates: Firefox 86 und 78.8 ESR umfassen wichtige Sicherheitsupdates ∗∗∗ --------------------------------------------- Mozillas frisch erschienene Browser-Versionen bergen neben neuen Funktionen auch Schwachstellen-Fixes. Von mehreren geht ein hohes Sicherheitsrisiko aus. --------------------------------------------- https://heise.de/-5063402 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (connman, firejail, kernel, python-django, roundcubemail, and wpa_supplicant), Fedora (gdk-pixbuf2 and gdk-pixbuf2-xlib), openSUSE (python3 and tomcat), Scientific Linux (xterm), SUSE (postgresql12 and postgresql13), and Ubuntu (gdk-pixbuf, openldap, python-django, and qemu). --------------------------------------------- https://lwn.net/Articles/847150/ *** Synology Security Advisories *** --------------------------------------------- Synology-SA-21:09 WebDAV Server A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of WebDAV Server. https://www.synology.com/en-global/support/security/Synology_SA_21_09 Synology-SA-21:08 Docker A vulnerability allows local users to read or write arbitrary files via a susceptible version of Docker. https://www.synology.com/en-global/support/security/Synology_SA_21_08 Synology-SA-21:07 Synology Directory Server A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Directory Server. https://www.synology.com/en-global/support/security/Synology_SA_21_07 Synology-SA-21:06 CardDAV Server A vulnerability allows remote authenticated users to execute arbitrary SQL commands via a susceptible version of CardDAV Server. https://www.synology.com/en-global/support/security/Synology_SA_21_06 Synology-SA-21:05 Audio Station A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Audio Station. https://www.synology.com/en-global/support/security/Synology_SA_21_05 Synology-SA-21:04 Video Station A vulnerability allows remote authenticated users to access intranet resources via a susceptible version of Video Station. https://www.synology.com/en-global/support/security/Synology_SA_21_04 Synology-SA-21:03 DSM Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM). https://www.synology.com/en-global/support/security/Synology_SA_21_03 --------------------------------------------- https://www.synology.com/en-global/security/advisory ∗∗∗ Security Vulnerabilities fixed in Thunderbird 78.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/ ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple CVEs – Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabili… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2021
by Daily end-of-shift report 22 Feb '21

22 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-02-2021 18:00 − Montag 22-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trojaner-Alarm bei 3D-Drucker-Software von Creality ∗∗∗ --------------------------------------------- Das auf den Download-Seiten Crealitys für den 3D-Drucker Ender 5 angebotene Software-Paket führt auf Windows-PCs zu einer Alarmmeldung. --------------------------------------------- https://heise.de/-5061290 ∗∗∗ Silver Sparrow: Mysteriöse Malware auf über 29.000 Macs entdeckt ∗∗∗ --------------------------------------------- Die für Intel- und ARM-Macs ausgelegte Software hat eine Selbstzerstörungsfunktion und kontaktiert regelmäßig Befehlsserver, tut aber bislang nichts. --------------------------------------------- https://heise.de/-5062066 ∗∗∗ Powerhouse VPN products can be abused for large-scale DDoS attacks ∗∗∗ --------------------------------------------- Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups. --------------------------------------------- https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-lar… ∗∗∗ Recently fixed Windows zero-day actively exploited since mid-2020 ∗∗∗ --------------------------------------------- Microsoft says that a high-severity Windows zero-day vulnerability patched during the February 2021 Patch Tuesday was exploited in the wild since at least the summer of 2020 according to its telemetry data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-… ∗∗∗ Quickie: Extracting HTTP URLs With tshark, (Sat, Feb 20th) ∗∗∗ --------------------------------------------- After I posted diary entry "Quickie: tshark & Malware Analysis", someone asked me how to extract HTTP URLs from capture files with tshark. --------------------------------------------- https://isc.sans.edu/diary/rss/27120 ∗∗∗ DDE and oledump, (Sun, Feb 21st) ∗∗∗ --------------------------------------------- I was asked if the DDE YARA rules I created work with oledump.py on the sample that Xavier wrote about in his diary entry "Dynamic Data Exchange (DDE) is Back in the Wild?". --------------------------------------------- https://isc.sans.edu/diary/rss/27122 ∗∗∗ New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victims Mastercard contactless card while believing it to be a Visa card. The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a [...] --------------------------------------------- https://thehackernews.com/2021/02/new-hack-lets-attackers-bypass.html ∗∗∗ Genetics of a Modern IoT Attack ∗∗∗ --------------------------------------------- When it comes to IoT attacks and malware, there is a perceptible pattern in which all intrusions manifest. It is good practice to study such patterns and draw conclusions so that we may extrapolate to future attacks. --------------------------------------------- https://cujo.com/genetics-of-a-modern-iot-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! SonicWall optimiert Sicherheitsupdates für SMA 100 ∗∗∗ --------------------------------------------- Der Netzwerkausrüster hat neue Patches für sein Fernzugriffsystem SMA 100 veröffentlicht und rät zur zügigen Installation. --------------------------------------------- https://heise.de/-5061513 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libzstd, openldap, openvswitch, screen, and wpa), Fedora (dotnet5.0, subversion, and wpa_supplicant), openSUSE (mumble, python-djangorestframework, and tor), Oracle (container-tools:ol8, kernel, nodejs:10, nodejs:12, nodejs:14, subversion:1.10, and xterm), Red Hat (stunnel and xterm), and SUSE (ImageMagick, java-1_8_0-openjdk, kernel, krb5-appl, python3, tomcat, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/847035/ ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0198 ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js codemirror module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability in Bouncy Castle affects IBM Rational Performance Tester (CVE-2020-26939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-bouncy… ∗∗∗ Security Bulletin: A security vulnerability in Node.js ini module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability have been identified in FasterXML Jackson Databind shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: App Connect Professional & IBM WebSphere Cast Iron Solution are affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in PostgreSQL affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js y18n module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Multiple vulnerability issues affect IBM Spectrum Symphony 7.3.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-is… ∗∗∗ Security Bulletin: Multiple vulnerability issues affect IBM Spectrum Conductor 2.5.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-is… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2021
by Daily end-of-shift report 19 Feb '21

19 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-02-2021 18:00 − Freitag 19-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ RIPE NCC Internet Registry discloses SSO credential stuffing attack ∗∗∗ --------------------------------------------- RIPE NCC is warning members that they suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ripe-ncc-internet-registry-d… ∗∗∗ Microsoft: Solarwinds-Angriffe gingen nach Auffliegen weiter ∗∗∗ --------------------------------------------- Microsoft bestätigt Angriffe der Solarwinds-Hacker bis in den Januar. Die Angreifer konnten zudem Quellcode herunterladen. --------------------------------------------- https://www.golem.de/news/microsoft-solarwinds-angriffe-gingen-nach-aufflie… ∗∗∗ Router Security ∗∗∗ --------------------------------------------- This report is six months old, and I don’t know anything about the organization that produced it, but it has some alarming data about router security.Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. --------------------------------------------- https://www.schneier.com/blog/archives/2021/02/router-security.html ∗∗∗ myMail Manages Your Mailbox… in a Strange Way! ∗∗∗ --------------------------------------------- myMail is a popular (10M+ downloads!) alternative email client for mobile devices. Available for iOS and Android, it is a powerful email client compatible with most of the mail providers (POP3/IMAP, Gmail, Yahoo!, Outlook, and even ActiveSync). --------------------------------------------- https://blog.rootshell.be/2021/02/19/mymail-manages-your-mailbox-in-a-stran… ∗∗∗ Dynamic Data Exchange (DDE) is Back in the Wild?, (Fri, Feb 19th) ∗∗∗ --------------------------------------------- DDE or "Dynamic Data Exchange" is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects. --------------------------------------------- https://isc.sans.edu/diary/rss/27116 ∗∗∗ Kriminelle versuchen an Ihre Microsoft-Zugangsdaten zu kommen ∗∗∗ --------------------------------------------- Gerade durch das vermehrte Arbeiten im Home-Office werden Absprachen und Planungen immer stärker in die digitale Welt verlagert. Der „Microsoft Planner“ ist ein oft genutztes Werkzeug, um den Überblick zu behalten – das wissen auch BetrügerInnen. Denn im Namen des „Microsoft Planner“ verschicken Kriminelle derzeit E-Mails in der Hoffnung, dass die EmpfängerInnen Ihre Microsoft-Zugangsdaten preisgeben. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versuchen-an-ihre-microso… ∗∗∗ IronNetInjector: Turla’s New Malware Loading Tool ∗∗∗ --------------------------------------------- IronPython has been used for malicious purposes before, but in its new malware loading tool IronNetInjector, threat group Turla uses it in a new way. --------------------------------------------- https://unit42.paloaltonetworks.com/ironnetinjector/ ∗∗∗ SectopRAT Adds Encrypted Communication ∗∗∗ --------------------------------------------- SectopRAT first appeared in 2019, but a recent version discovered by G DATA shows it has evolved since original analysis. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/1c75b182cb0446128ac95b0e49c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory: Privilege Management for Unix & Linux (PMUL) Basic and Privilege Management for Mac (PMM) Affected by Sudo Vulnerability ∗∗∗ --------------------------------------------- On January 26, 2021, the Qualys research team disclosed a heap overflow vulnerability (CVE-2021-3156) within sudo that allows any unprivileged user to gain root privileges on Linux without requiring a password. BeyondTrust PBsudo/Privilege Management for Unix & Linux Basic is affected by this CVE. Apple also acknowledged and released updates to macOS for this CVE on Feb 10, 2021. Based on macOS releases, we confirmed that Privilege Management for Mac (PMM) is also impacted by this --------------------------------------------- https://www.beyondtrust.com/blog/entry/security-advisory-privilege-manageme… ∗∗∗ VU#240785: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- OverviewAtlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.DescriptionThe Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.ImpactBy placing a specially-crafted DLL --------------------------------------------- https://kb.cert.org/vuls/id/240785 ∗∗∗ Ceritude Securiy Advisory - CSA-2021-001: CSRF in Apache MyFaces (CVE-2021-26296) ∗∗∗ --------------------------------------------- Apache MyFaces is an open-source implementation of JSF. During a quick evaluation, Certitude found that the default CSRF protection of Apache MyFaces was insufficient as the CSRF tokens the framework generates can be guessed by an attacker. --------------------------------------------- https://certitude.consulting/advisories/CSA_2021_001_Cross_Site_Request_For… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro). --------------------------------------------- https://lwn.net/Articles/846787/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2021-20354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ OpenSSL vulnerability CVE-2021-23840 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24624116 ∗∗∗ OpenSSL vulnerability CVE-2021-23839 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61903372 ∗∗∗ OpenSSL vulnerability CVE-2021-23841 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52833764 ∗∗∗ cURL vulnerability CVE-2020-8284 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63525058 ∗∗∗ cURL vulnerability CVE-2020-8285 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61186963 ∗∗∗ cURL vulnerability CVE-2020-8286 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15402727 ∗∗∗ Johnson Controls Metasys Reporting Engine (MRE) Web Services ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-01 ∗∗∗ Mitsubishi Electric FA engineering software products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2021
by Daily end-of-shift report 18 Feb '21

18 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-02-2021 18:00 − Donnerstag 18-02-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ How to Not Give a Scam ∗∗∗ --------------------------------------------- Learn about tactics attackers use for extortion emails and how to build a picture around raw data as the DomainTools team leads an investigation into a sextortion scam. --------------------------------------------- https://www.domaintools.com/resources/blog/how-to-not-give-a-scam ∗∗∗ Mac Malware Targets Apple’s In-House M1 Processor ∗∗∗ --------------------------------------------- A malicious adware-distributing application specifically targets Apples new M1 SoC, used in its newest-generation MacBook Air, MacBook Pro and Mac mini devices. --------------------------------------------- https://threatpost.com/macos-malware-apple-m1-processor/164075/ ∗∗∗ Covid‑19‑Impfstoffe: Gefahr durch Betrugsmails und Falschmeldungen ∗∗∗ --------------------------------------------- Die weltweit anlaufenden Impfkampagnen sind der langersehnte Lichtblick beim Kampf gegen die Pandemie. Gleichzeitig haben auch Betrüger und Verbreiter von Falschmeldungen das Thema Impfstoffe für sich entdeckt. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/02/17/covid-19-impfstoffe-gefah… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2020-8625: A vulnerability in BINDs GSSAPI security policy negotiation can be targeted by a buffer overflow attack ∗∗∗ --------------------------------------------- This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features. Solution: Upgrade to the patched release most closely related to your current version of BIND --------------------------------------------- https://kb.isc.org/docs/cve-2020-8625 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mumble, openssl, php7.3, and webkit2gtk), openSUSE (jasper, php7, and screen), SUSE (bind, php7, and php72), and Ubuntu (bind9, openssl, openssl1.0, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/846623/ ∗∗∗ Security Bulletin: A security vulnerability in Node.js y18n module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4933) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Vulnerability has been identified in SnakeYAML used by IBM Dependency Based Build ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-has-been-id… ∗∗∗ Security Bulletin: IBM Maximo Data Loader (maxloader) shipped with IBM Maximo for Civil Infrastructure is vulnerable to cross-site scripting and missing or insecure "X-XSS-Protection" header ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-data-loader-ma… ∗∗∗ Security Bulletin: A security vulnerability in Node.js ini module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Maximo Data Loader (maxloader) shipped with IBM Maximo for Civil Infrastructure is vulnerable to autocomplete HTML Attribute not disabled for password field ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-data-loader-ma… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js codemirror module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple BIND vulnerabilities (CVE-2020-8622, CVE-2020-8623, CVE-2020-8624) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ February 16, 2021 TNS-2021-02 [R1] Nessus Network Monitor 5.13.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-02 ∗∗∗ XSA-366 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-366.html ∗∗∗ Jira Server for Slack Security Advisory 17th February 2021 ∗∗∗ --------------------------------------------- https://confluence.atlassian.com/jira/jira-server-for-slack-security-adviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2021
by Daily end-of-shift report 17 Feb '21

17 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-02-2021 18:00 − Mittwoch 17-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Masslogger Swipes Microsoft Outlook, Google Chrome Credentials ∗∗∗ --------------------------------------------- A new version of the Masslogger trojan has been targeting Windows users - now using a compiled HTML (CHM) file format to start the infection chain. --------------------------------------------- https://threatpost.com/masslogger-microsoft-outlook-google-chrome/164011/ ∗∗∗ The new "LinkedInSecureMessage" ?, (Wed, Feb 17th) ∗∗∗ --------------------------------------------- With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noticed a new variant on a typical cred-stealer, in this case offering itself up as a new, secure messaging format used over the career website LinkedIn. --------------------------------------------- https://isc.sans.edu/diary/rss/27110 ∗∗∗ Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping ∗∗∗ --------------------------------------------- A severe security vulnerability in a popular video calling software development kit (SDK) could have allowed an attacker to spy on ongoing private video and audio calls. Thats according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.ios SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First's Backline; and in the Android app that's paired with "temi" personal robot. --------------------------------------------- https://thehackernews.com/2021/02/agora-sdk-bug-left-several-video.html ∗∗∗ North Korean Malicious Cyber Activity: AppleJeus ∗∗∗ --------------------------------------------- Original release date: February 17, 2021CISA, the Federal Bureau of Investigation, and the Department of the Treasury have released a Joint Cybersecurity Advisory and seven Malware Analysis Reports (MARs) on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/17/north-korean-mali… ∗∗∗ Remotely Exploitable 0day in Internet Explorer Gets a Free Micropatch ∗∗∗ --------------------------------------------- On February 4, 2021, security researchers at ENKI, a South Korean security consultancy, published a blog post detailing an unpatched vulnerability in Internet Explorer. This "0day" vulnerability was used in an attack campaign against various security researchers, including ENKI researchers, who noticed the attack and took the exploit apart to extract the vulnerability information. ENKI researchers kindly shared their proof of concept with us, so we could quickly start analyzing the vulnerability and create a micropatch for it. --------------------------------------------- https://blog.0patch.com/2021/02/remotely-exploitable-0day-in-internet.html ∗∗∗ Vorsicht bei zu günstigen Angeboten im Facebook-Marketplace! ∗∗∗ --------------------------------------------- Der Marketplace von Facebook ermöglicht nicht nur privaten VerkäuferInnen, neue und gebrauchte Produkte anzubieten, sondern auch kommerziellen HändlerInnen. Interessierte KäuferInnen sollten die Anzeigen und die dahinterstehenden Facebook-Profile jedoch genau überprüfen. Denn wie auch bei anderen Kleinanzeigenplattformen kommt es auf Facebook immer wieder zu Betrug. Wir zeigen Ihnen wie Sie betrügerische Angebote entlarven können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-angeboten… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP patches critical vulnerability in Surveillance Station NAS app ∗∗∗ --------------------------------------------- QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-patches-critical-vulner… ∗∗∗ OpenSSL Security Advisory [16 February 2021] ∗∗∗ --------------------------------------------- Severity Moderate: Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) Severity Low: Incorrect SSLv2 rollback protection (CVE-2021-23839) Severity Low: Integer overflow in CipherUpdate (CVE-2021-23840) --------------------------------------------- https://www.openssl.org/news/secadv/20210216.txt ∗∗∗ One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms ∗∗∗ --------------------------------------------- On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. --------------------------------------------- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-seve… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and ruby-mechanize), Fedora (chromium, jasper, roundcubemail, spice-vdagent, and webkit2gtk3), openSUSE (python-bottle), Oracle (dotnet, kernel, and kernel-container), Red Hat (redhat-ds:11, RHDM, and RHPAM), SUSE (jasper, kernel, and screen), and Ubuntu (thunderbird and wpa). --------------------------------------------- https://lwn.net/Articles/846476/ ∗∗∗ Cisco StarOS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for AIX and Linux – July 2020. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: OpenSSL vulnerability affects IBM Engineering Workflow Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Hamilton-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-047-01 ∗∗∗ Open Design Alliance Drawings SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-047-01 ∗∗∗ Rockwell Automation Allen-Bradley Micrologix 1100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-047-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2021
by Daily end-of-shift report 16 Feb '21

16 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-02-2021 18:00 − Dienstag 16-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberattack on Dutch Research Council (NWO) suspends research grants ∗∗∗ --------------------------------------------- Servers belonging to the Dutch Research Council (NWO) have been compromised, forcing the organization to make its network unavailable and suspend subsidy allocation for the foreseeable future. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberattack-on-dutch-researc… ∗∗∗ Microsoft pulls Windows KB4601392 for blocking security updates ∗∗∗ --------------------------------------------- Microsoft has pulled a problematic Windows servicing stack update (SSU) after blocking Windows 10 and Windows Server customers from installing the security updates released during this month Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-windows-kb4… ∗∗∗ Sandworm: Frankreich meldet jahrelangen staatlichen Hack auf Server ∗∗∗ --------------------------------------------- Ähnlich wie bei dem Solarwinds-Hack soll es jahrelang Angriffe auf die freie Monitoring-Software Centreon gegeben haben. --------------------------------------------- https://www.golem.de/news/sandworm-frankreich-meldet-jahrelangen-staatliche… ∗∗∗ More weirdness on TCP port 26, (Tue, Feb 16th) ∗∗∗ --------------------------------------------- A little over a year ago, I wrote a diary asking what was going on with traffic on TCP port 26. So, last week when I noticed another spike on port 26, I decided to take another look. --------------------------------------------- https://isc.sans.edu/diary/rss/27106 ∗∗∗ Corona Hilfe für Unternehmen: Gefälschtes E-Mail im Namen des Bundesministeriums für Soziales im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche UnternehmerInnen finden aktuell ein E-Mail mit dem Betreff "Überbrückungshilfe III - Informationen und Unterstützung für Unternehmen", angeblich vom Bundesministerium für Soziales, in ihrem Posteingang. Vorsicht: Dieses E-Mail stammt von Kriminellen und beinhaltet Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/corona-hilfe-fuer-unternehmen-gefael… ===================== = Vulnerabilities = ===================== ∗∗∗ Malvertisers exploited browser zero-day to redirect users to scams ∗∗∗ --------------------------------------------- The ScamClub malvertising group used a zero-day vulnerability in the WebKit web browser engine to push payloads that redirected to gift card scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malvertisers-exploited-brows… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Mageia (chromium-browser, kernel, kernel-linus, and trojita), openSUSE (mumble and opera), Red Hat (container-tools:rhel8, java-1.8.0-ibm, kernel, kernel-rt, net-snmp, nodejs:10, nodejs:12, nodejs:14, nss, perl, python, and rh-nodejs10-nodejs), and SUSE (jasper, python-bottle, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/846395/ ∗∗∗ Security bugs left unpatched in Android app with one billion downloads ∗∗∗ --------------------------------------------- The vulnerabilities impact SHAREit, an app used for sharing files between users and their devices. --------------------------------------------- https://www.zdnet.com/article/security-bugs-left-unpatched-in-android-app-w… ∗∗∗ Calsos CSDJ fails to restrict access permissions ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN87164507/ ∗∗∗ FileZen vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN58774946/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-4954, CVE-2020-4955, CVE-2020-4956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server January 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ XSA-365 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-365.html ∗∗∗ XSA-364 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-364.html ∗∗∗ XSA-363 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-363.html ∗∗∗ XSA-362 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-362.html ∗∗∗ XSA-361 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-361.html ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2021
by Daily end-of-shift report 15 Feb '21

15 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-02-2021 18:00 − Montag 15-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Copycats imitate novel supply chain attack that hit tech giants ∗∗∗ --------------------------------------------- This week, hundreds of new packages have been published to the npm open-source repository named after private components being internally used by major companies. These npm packages are identical to the proof-of-concept packages created by Alex Birsan, the researcher who had recently managed to infiltrate over major 35 tech firms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/copycats-imitate-novel-suppl… ∗∗∗ Sunbird und Hornbill: Neue Android-Spyware der Confucius-APT ∗∗∗ --------------------------------------------- Sicherheitsforscher entdecken zwei Schadprogramme, die sie einer pro-indischen APT-Gruppe zuordnen. Beide sollen auf kommerzieller Spyware basieren. --------------------------------------------- https://www.golem.de/news/sunbird-und-hornbill-neue-android-spyware-der-con… ∗∗∗ Using Logstash to Parse IPtables Firewall Logs, (Sat, Feb 13th) ∗∗∗ --------------------------------------------- One of our reader submitted some DSL Modem Firewall logs (iptables format) and I wrote a simple logstash parser to analyze and illustrate the activity, in this case it is all scanning activity against this modem. An iptables parser exist for Filebeat, but for this example, I wanted to show how to create a simple logstash parser using Grok to parse these logs and send them to Elastic. --------------------------------------------- https://isc.sans.edu/diary/rss/27096 ===================== = Vulnerabilities = ===================== ∗∗∗ VMware vSphere Replication: Updates beseitigen remote ausnutzbare Schwachstelle ∗∗∗ --------------------------------------------- Für mehrere Versionen der vCenter Server-Erweiterung vSphere Replication stehen Sicherheitsupdates bereit, die eine "High"-Schwachstelle schließen. --------------------------------------------- https://heise.de/-5055247 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox, linux-4.19, openvswitch, subversion, unbound1.9, and xterm), Fedora (audacity, community-mysql, kernel, libzypp, mysql-connector-odbc, python-django, python3.10, and zypper), openSUSE (librepo, openvswitch, subversion, and wpa_supplicant), Red Hat (subversion:1.10), SUSE (kernel, openvswitch, perl-File-Path, and wpa_supplicant), and Ubuntu (postgresql-12). --------------------------------------------- https://lwn.net/Articles/846318/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0001 ∗∗∗ --------------------------------------------- * Versions affected: WebKitGTK before 2.30.5 and WPE WebKit before 2.30.5. * Impact: Processing maliciously crafted web content may lead to arbitrary code execution. * Description: An use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0001.html ∗∗∗ Security Bulletin: Insecure HTTP Communication ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insecure-http-communicati… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-4954, CVE-2020-4955, CVE-2020-4956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Controller is vulnerable to privilege escalation (CVE-2020-4685) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-is-… ∗∗∗ Security Bulletin: Vulnerabilities in bind CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-bind-c… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2020-1971). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2021
by Daily end-of-shift report 12 Feb '21

12 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-02-2021 18:00 − Freitag 12-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Buggy WordPress plugin exposes 100K sites to takeover attacks ∗∗∗ --------------------------------------------- Critical and high severity vulnerabilities in the Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks as discovered by Wordfence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/buggy-wordpress-plugin-expos… ∗∗∗ Internet Explorer 11 zero-day vulnerability gets unofficial micropatch ∗∗∗ --------------------------------------------- An Internet Explorer 11 zero-day vulnerability used against security researchers, not yet fixed by Microsoft, today received a micropatch that prevents exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/internet-explorer-11-zero-da… ∗∗∗ Web shell attacks continue to rise ∗∗∗ --------------------------------------------- A year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated. --------------------------------------------- https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-contin… ∗∗∗ AgentTesla Dropped Through Automatic Click in Microsoft Help File, (Fri, Feb 12th) ∗∗∗ --------------------------------------------- Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files), others look really safe and make the victim confident to open it. I spotted a phishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file: a Microsoft compiled HTML Help file. --------------------------------------------- https://isc.sans.edu/diary/rss/27092 ∗∗∗ Vorsicht Finanzbetrug: Zahlen Sie keine 250 Euro auf horizoninvest.cc ein! ∗∗∗ --------------------------------------------- Die österreichische Finanzmarktaufsicht (FMA) warnt derzeit mit einer aktuellen Kampagne vor Anlage- und Finanzbetrug. Auch bei der Watchlist Internet werden zunehmend betrügerische Plattformen gemeldet, die leicht verdientes Geld durch Investments, versprechen. Aktuell melden LeserInnen vermehrt horizoninvest.cc. Zahlen Sie dort auf keinen Fall Geld ein! Dieses landet nämlich direkt in den Händen der Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-finanzbetrug-zahlen-sie-kei… ∗∗∗ Free decrypter released for Avaddon ransomware victims... aaand, its gone! ∗∗∗ --------------------------------------------- The Avaddon ransomware gang said in a forum post they already updated their code to counter the tools release. --------------------------------------------- https://www.zdnet.com/article/free-decrypter-released-for-avaddon-ransomwar… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Angreifer könnten BIG-IP Appliances von F5 übernehmen ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von F5 sind attackierbar. Angreifer könnten Geräte lahmlegen oder sogar eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5053268 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE --------------------------------------------- https://lwn.net/Articles/845999/ ∗∗∗ Security Bulletin: Multiple security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not sufficiently safeguard session IDs from session fixation attacks (CVE-2021-20411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: CVE-2020-2773 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-may-affect-… ∗∗∗ Security Bulletin: a security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not sufficiently protect the key that encrypts and decrypts product credentials (CVE-2021-20408) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue discloses sensitive information in source code (CVE-2021-20407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a relatively weak cryptographic algorithm to protect application data (CVE-2021-20406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Multiple Embedded TCP/IP stacks ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-042-01 ∗∗∗ Rockwell Automation DriveTools SP and Drives AOP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-042-02 ∗∗∗ Wibu-Systems CodeMeter (Update E) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2021
by Daily end-of-shift report 11 Feb '21

11 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-02-2021 18:00 − Donnerstag 11-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ TrickBots BazarBackdoor malware is now coded in Nim to evade antivirus ∗∗∗ --------------------------------------------- TrickBots stealthy BazarBackdoor malware has been rewritten in the Nim programming language, likely to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malw… ∗∗∗ Hybrid, Older Users Most-Targeted by Gmail Attackers ∗∗∗ --------------------------------------------- Researchers at Google and Stanford analyzed a 1.2 billion malicious emails to find out what makes users likely to get attacked. 2FA wasnt a big factor. --------------------------------------------- https://threatpost.com/hybrid-older-users-gmail-attackers/163826/ ∗∗∗ Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th) ∗∗∗ --------------------------------------------- While going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of February, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would not be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27088 ∗∗∗ Microsoft Launches Phase 2 Mitigation for Netlogon Remote Code Execution Vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launche… ∗∗∗ Zeoticus 2.0: Ransomware With No C2 Required ∗∗∗ --------------------------------------------- Zeoticus ransomware first appeared for sale in various underground forums and markets in early 2020. The ransomware is currently Windows-specific and, according to the developers, functions on all “supported versions of Windows”. --------------------------------------------- https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/ ∗∗∗ FBI warnt vor Windows 7 und TeamViewer ∗∗∗ --------------------------------------------- Die US-Bundespolizei FBI hat anlässlich des Giftangriffes auf ein Wasserwerk in Florida eine offizielle Warnung vor dem Einsatz von Windows 7 und TeamViewer ausgesprochen. --------------------------------------------- https://www.zdnet.de/88393353/fbi-warnt-vor-windows-7-und-teamviewer/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Commerce Critical Security Bug Allows RCE ∗∗∗ --------------------------------------------- The critical SAP cybersecurity flaw could allow for the compromise of an application used by e-commerce businesses. --------------------------------------------- https://threatpost.com/sap-commerce-critical-security-bug/163822/ ∗∗∗ DoS- und Schadcode-Attacken gegen McAfee Total Protection möglich ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für McAfee Total Protection unter Windows. --------------------------------------------- https://heise.de/-5052175 ∗∗∗ WIndows Print Spooler Keeps Delivering Vulnerabilities, And We Keep Patching Them (CVE-2020-1030) ∗∗∗ --------------------------------------------- by Mitja Kolsek, the 0patch Team Security researcher Victor Mata of Accenture published a detailed analysis of a binary planting vulnerability in Windows Print Spooler (CVE-2020-1030), which they had previously reported to Microsoft in May 2020, and a fix for which was included in September 2020 Windows Updates. --------------------------------------------- https://blog.0patch.com/2021/02/print-spooler-keeps-delivering.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firejail and netty), Fedora (java-1.8.0-openjdk, java-11-openjdk, rubygem-mechanize, and xpdf), Mageia (gstreamer1.0-plugins-bad, nethack, and perl-Email-MIME and perl-Email-MIME-ContentType), openSUSE (firejail, java-11-openjdk, python, and rclone), Red Hat (dotnet, dotnet3.1, dotnet5.0, and rh-nodejs12-nodejs), SUSE (firefox, kernel, python, python36, and subversion), and Ubuntu (gnome-autoar, junit4, openvswitch, postsrsd, and sqlite3). --------------------------------------------- https://lwn.net/Articles/845750/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i – July 2020. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not properly encode error messages sent to web users (CVE-2021-20405) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with a cross-site scripting vulnerability (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with known vulnerabilities (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (CVE-2020-4847) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ VMSA-2021-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0001.html ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0147 ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0169 ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0163 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2021
by Daily end-of-shift report 10 Feb '21

10 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-02-2021 18:00 − Mittwoch 10-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rinfo Is Making A Comeback and Is Scanning and Mining in Full Speed ∗∗∗ --------------------------------------------- In 2018 we blogged about a scanning&mining botnet family that uses ngrok.io to propagate samples: "A New Mining Botnet Blends Its C2s into ngrok Service", and since mid-October 2020, our BotMon system started to see a new variant of this family [...] --------------------------------------------- https://blog.netlab.360.com/rinfo-is-making-a-comeback-and-is-scanning-and-… ∗∗∗ Kaufen Sie keine Paysafecard um Zollgebühren zu bezahlen! ∗∗∗ --------------------------------------------- Eine neue Massenmail landet derzeit im Posteingang zahlreicher InternetnutzerInnen. Die Nachricht wird angeblich vom Kundenservice des deutschen oder schweizerischen Zolls gesendet. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-paysafecard-um-zoll… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes SUDO root privilege escalation flaw in macOS ∗∗∗ --------------------------------------------- Apple has fixed a sudo vulnerability in macOS Big Sur, Catalina, and Mojave, allowing any local user to gain root-level privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-sudo-root-privilege… ∗∗∗ Confusion Attack: Microsoft warnt vor einfacher Übernahme interner Pakete ∗∗∗ --------------------------------------------- Haben internes und externes Paket den gleichen Namen, lassen sich Trojaner einschleusen. --------------------------------------------- https://www.golem.de/news/confusion-attack-microsoft-warnt-vor-einfacher-ue… ∗∗∗ Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th) ∗∗∗ --------------------------------------------- This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed. --------------------------------------------- https://isc.sans.edu/diary/rss/27080 ∗∗∗ Patchday: Adobe kümmert sich um kritische Lücken in Acrobat, Photoshop & Co. ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Windows-Nutzer mit Adobe Reader abgesehen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-5050997 ∗∗∗ Patchday: Intel stellt aktualisierte Treiber, Firm- und Software bereit ∗∗∗ --------------------------------------------- Von Intel diesmal meist als Downloads für Endnutzer verfügbare Updates beseitigen Schwachstellen mit teils hoher Gefahreneinstufung aus diversen Produkten. --------------------------------------------- https://heise.de/-5051084 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman, firejail, libzstd, slirp, and xcftools), Fedora (chromium, jackson-databind, and privoxy), openSUSE (chromium), Oracle (kernel and kernel-container), Slackware (dnsmasq), SUSE (java-11-openjdk, kernel, and python), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oem-5.6, linux-oracle, linux-raspi, linux, linux-gke-5.0, linux-gke-5.3, linux-hwe, linux-raspi2-5.3, openjdk-8, openjdk-lts, and snapd). --------------------------------------------- https://lwn.net/Articles/845602/ ∗∗∗ This old security vulnerability left millions of Internet of Things devices vulnerable to attacks ∗∗∗ --------------------------------------------- Historys repeating, warn security researchers, who find that a computer security issue thats been known about for decades could be used to manipulate IoT devices - so apply the patches now. --------------------------------------------- https://www.zdnet.com/article/this-old-security-vulnerability-left-millions… ∗∗∗ GE Digital HMI/SCADA iFIX ∗∗∗ --------------------------------------------- This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource vulnerabilities in the GE Digital HMI/SCADA iFIX software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-01 ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for SQL Injection, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in the Advantech iView device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an error within Eclipse Jetty (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4791) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js and FasterXML jackson-databind affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4795) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a security vulnerability (CVE-2016-2183) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Arbitrary File Read (CVE-2020-4789) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an "Apache CXF" jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2021
by Daily end-of-shift report 09 Feb '21

09 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-02-2021 18:00 − Dienstag 09-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Devices Hunted by LodaRAT Windows Malware ∗∗∗ --------------------------------------------- The LodaRAT - known for targeting Windows devices - has been discovered also targeting Android devices in a new espionage campaign. --------------------------------------------- https://threatpost.com/android-devices-lodarat-windows/163769/ ∗∗∗ Florida: Hacker wollte Trinkwasser aus der Ferne vergiften ∗∗∗ --------------------------------------------- Kriminelle haben ein Trinkwasserwerk in Florida gehackt und die Natriumhydroxid-Zufuhr vervielfacht. Ein Mitarbeiter beobachtete die Tat und stoppte sie. --------------------------------------------- https://heise.de/-5049266 ∗∗∗ Arrest, Raids Tied to ‘U-Admin’ Phishing Kit ∗∗∗ --------------------------------------------- Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” --------------------------------------------- https://krebsonsecurity.com/2021/02/arrest-raids-tied-to-u-admin-phishing-k… ∗∗∗ BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech ∗∗∗ --------------------------------------------- The novel Chinese shellcode "BendyBear" is one of the most sophisticated, well-engineered and difficult-to-detect samples employed by an APT. --------------------------------------------- https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/ ∗∗∗ PyPI, GitLab dealing with spam attacks ∗∗∗ --------------------------------------------- Both sites have been flooded over the weekend with garbage content. --------------------------------------------- https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Kritische Lücke in WordPress-Plug-in NextGen Gallery ∗∗∗ --------------------------------------------- Ein Schlupfloch in NextGen Gallery könnte Schadcode auf 800.000 WordPress-Websites lassen. --------------------------------------------- https://heise.de/-5049401 ∗∗∗ Linux kernel CVE-2020-10769 ∗∗∗ --------------------------------------------- A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module. --------------------------------------------- https://support.f5.com/csp/article/K62532228 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/845504/ ∗∗∗ ZDI-21-153: Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-153/ ∗∗∗ SSA-379803: Vulnerabilities in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-379803.txt ∗∗∗ SSA-428051: Privilege Escalation Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-428051.txt ∗∗∗ SSA-686152: Denial-of-Service Vulnerability in ARP Protocol of SCALANCE W780 and W740 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-686152.txt ∗∗∗ SSA-663999: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-663999.txt ∗∗∗ SSA-536315: Privilege escalation vulnerability in DIGSI 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-536315.txt ∗∗∗ SSA-944678: Potential Password Protection Bypass in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-944678.txt ∗∗∗ SSA-794542: Insecure Folder Permissions in SIMARIS configuration ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-794542.txt ∗∗∗ SSA-362164: Predictable Initial Sequence Numbers in Mentor Nucleus TCP stack ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-362164.txt ∗∗∗ SSA-156833: Zip-Slip Directory Traversal Vulnerability in SINEMA Server and SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-156833.txt ∗∗∗ SAP Patchday Februar 2021: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0139 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2021
by Daily end-of-shift report 08 Feb '21

08 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-02-2021 18:00 − Montag 08-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ IT-Security: Google bietet Datenbank zu Lücken in Open-Source-Software ∗∗∗ --------------------------------------------- Ob eigene Software oder Abhängigkeiten von Sicherheitslücken betroffen ist, ist teils nicht leicht herauszufinden. Google will hier helfen. --------------------------------------------- https://www.golem.de/news/it-security-google-bietet-datenbank-zu-luecken-in… ∗∗∗ FOSDEM: Hacker auf dem eigenen Honeypot-Server beobachten ∗∗∗ --------------------------------------------- Auf der FOSDEM haben zwei Entwickler eine raffinierte Methode vorgestellt, einen eigenen SSH-Honeypot zu bauen und den Hackern über die Schulter zu schauen. --------------------------------------------- https://heise.de/-5048084 ∗∗∗ Die Macher der Ransomware Ziggy bereuen ihre Taten und geben auf ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner Ziggy eingefangen hat, kann seine Daten nun mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-5048379 ∗∗∗ Barcode Scanner app on Google Play infects 10 million users with one update ∗∗∗ --------------------------------------------- In a single update, a popular barcode scanner app that had been on Google Play for years turned into malware. ... Google quickly removed the app from its store. ... Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. --------------------------------------------- https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google… ∗∗∗ Reverse Engineering Keys from Firmware.A how-to ∗∗∗ --------------------------------------------- It is possible to reverse engineer keys from firmware with some tips: * Always looks for strings/constants. * Make guesses about the original source. * Find a function you can recognise and work backwards to identify other functions. * It helps if they use open-source code so you can crib from it. --------------------------------------------- https://www.pentestpartners.com/security-blog/reverse-engineering-keys-from… ∗∗∗ Erpressung per E-Mail: Kriminelle behaupten, Sie beim Masturbieren gefilmt zu haben ∗∗∗ --------------------------------------------- Aktuell werden wieder massenhaft betrügerische Erpressungsmails versendet. Kriminelle behaupten, sie hätten Ihren Computer gehackt und Sie beim Surfen auf Porno-Webseiten erwischt. Angeblich wurden Sie dabei beim Masturbieren gefilmt. Der unbekannte Absender droht nun damit, dieses Video an all Ihre Kontakte zu senden. Ignorieren Sie dieses E-Mail und antworten Sie auch nicht! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-beh… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox und Tor Browser: Update schließt kritische Lücke und blockiert NTFS-Bug ∗∗∗ --------------------------------------------- Versionsupdates für Firefox, Firefox ESR und Tor Browser beseitigen eine Windows-spezifische Sicherheitslücke und bringen zudem einige Bugfixes mit. --------------------------------------------- https://heise.de/-5048403 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu). --------------------------------------------- https://lwn.net/Articles/845426/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0135 ∗∗∗ BlackBerry Powered by Android Security Bulletin - February 2021 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: The Ubuntu ca-certificates have been updated in Watson Machine Learning Community Edition containers due to expiration. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ubuntu-ca-certificate… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2021
by Daily end-of-shift report 05 Feb '21

05 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-02-2021 18:00 − Freitag 05-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Hackers steal StormShield firewall source code in data breach ∗∗∗ --------------------------------------------- Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the companys support ticket system and steal source code for Stormshield Network Security firewall software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-fi… ∗∗∗ Free coffee! Belgian researcher hacks prepaid vending machines ∗∗∗ --------------------------------------------- Only try this at home, folks! As easy as it might look, its illegal in the wild, with good reason. --------------------------------------------- https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-ha… ∗∗∗ Stack Canaries – Gingerly Sidestepping the Cage ∗∗∗ --------------------------------------------- Tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. --------------------------------------------- https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage ∗∗∗ [SANS ISC] VBA Macro Trying to Alter the Application Menus ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive techniqueThe post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2021/02/05/sans-isc-vba-macro-trying-to-alter-the… ∗∗∗ Abusing Google Chrome extension syncing for data exfiltration and C&C ∗∗∗ --------------------------------------------- I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. --------------------------------------------- https://isc.sans.edu/diary/rss/27066 ∗∗∗ besondereprasente.com: Fordern Sie Ihr Geld zurück! ∗∗∗ --------------------------------------------- Obwohl die Webseite besondereprasente.com gar nicht mehr existiert, erhält die Watchlist Internet nach wie vor zahlreiche Meldungen zu diesem Fake-Shop. Der Grund: Wer bei besondereprasente.com bestellt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/besondereprasentecom-fordern-sie-ihr… ∗∗∗ Plex Media servers are being abused for DDoS attacks ∗∗∗ --------------------------------------------- Cyber-security firm Netscout warns of new DDoS attack vector. --------------------------------------------- https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-… ∗∗∗ Kasperksy warnt vor Krypto-Scam ∗∗∗ --------------------------------------------- Kapersky hat ein neues Scam-System entdeckt, das es mit verlockenden Angeboten von angeblichen neuen Kryptobörsen auf Anwender von Discord abgesehen hat. --------------------------------------------- https://www.zdnet.de/88393274/kasperksy-warnt-vor-krypto-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day im Chrome-Browser: Jetzt Update einspielen ∗∗∗ --------------------------------------------- Eine aktiv ausgenutzte Schwachstelle im Chrome-Browser gefährdet die meisten Betriebssysteme. Google hat ein Update. --------------------------------------------- https://heise.de/-5046783 ∗∗∗ Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style ∗∗∗ --------------------------------------------- On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sit… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna). --------------------------------------------- https://lwn.net/Articles/845191/ ∗∗∗ WordPress Plugin "Name Directory" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50470170/ ∗∗∗ Security Bulletin: Watson Machine Learning Community Edition docker containers have been updated to fix a security issue in libcurl ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-c… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning 1.6.2 and 1.7.0 has been patched for various security issues in nanopb. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: IBM API Connect is impacted by insecure web server configuration (CVE-2020-4825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: PowerHA System Mirror for AIX vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powerha-system-mirror-for… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2021
by Daily end-of-shift report 04 Feb '21

04 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-02-2021 18:00 − Donnerstag 04-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices ∗∗∗ --------------------------------------------- 28 malicious extensions disguised traffic as Google Analytics data. --------------------------------------------- https://arstechnica.com/?p=1739523 ∗∗∗ New Fonix ransomware decryptor can recover victims files for free ∗∗∗ --------------------------------------------- Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fonix-ransomware-decrypt… ∗∗∗ How to Audit Password Changes in Active Directory ∗∗∗ --------------------------------------------- Todays admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. --------------------------------------------- https://thehackernews.com/2021/02/how-to-audit-password-changes-in-active.h… ∗∗∗ Project Zero: Déjà vu-lnerability ∗∗∗ --------------------------------------------- A Year in Review of 0-days Exploited In-The-Wild in 2020 --------------------------------------------- https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html ∗∗∗ E-Tretroller sind leicht zu überwachen und zu manipulieren ∗∗∗ --------------------------------------------- Die Apps der Verleiher sind sehr auskunftsfreudig. Mit den übertragenen Daten lässt sich ein E-Tretroller sogar während der Fahrt abschalten. --------------------------------------------- https://heise.de/-5045945 ∗∗∗ Browser sync—what are the risks of turning it on? ∗∗∗ --------------------------------------------- Browser synchronization is a handy feature but it comes with a few risks. Heres what you should be asking yourself before you switch it on. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/02/browser-sync-what-are-the-r… ∗∗∗ This old form of ransomware has returned with new tricks and new targets ∗∗∗ --------------------------------------------- Cerber was once the most common form of ransomware - and now its back, years after its heyday. --------------------------------------------- https://www.zdnet.com/article/this-old-form-of-ransomware-has-returned-with… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB21-09) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB21-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for the week of February 09, 2021. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1967 ∗∗∗ Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices ∗∗∗ --------------------------------------------- Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a devices wireless communications. --------------------------------------------- https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.ht… ∗∗∗ Jetzt patchen! Sicherheitsupdate für SonicWall SMA 100 ist da ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf das Fernzugriffsystem SMA 100 von SonicWall abgesehen. Nun gibt es Patches. --------------------------------------------- https://heise.de/-5045657 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3). --------------------------------------------- https://lwn.net/Articles/845088/ ∗∗∗ Panasonic Video Insight VMS vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42252698/ ∗∗∗ ZDI-21-151: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-151/ ∗∗∗ ZDI-21-150: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-150/ ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2020-14781 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM SDK Java Quarterly CPU Jul 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-quarterly-cp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ wpa_supplicant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0129 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX291439 ∗∗∗ Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-02 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2021
by Daily end-of-shift report 03 Feb '21

03 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-02-2021 18:00 − Mittwoch 03-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Excel spreadsheets push SystemBC malware, (Wed, Feb 3rd) ∗∗∗ --------------------------------------------- This Excel spreadsheet pushed what might be SystemBC malware when I tested it in my lab environment on Monday 2021-02-01. --------------------------------------------- https://isc.sans.edu/diary/rss/27060 ∗∗∗ Interview with a LockBit ransomware operator ∗∗∗ --------------------------------------------- In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews. --------------------------------------------- https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomwar… ∗∗∗ Hildegard: New TeamTNT Malware Targeting Kubernetes ∗∗∗ --------------------------------------------- Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations. --------------------------------------------- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ∗∗∗ Gefälschte Rechnung für Desinfektionsmittel im Umlauf! ∗∗∗ --------------------------------------------- Viele Unternehmen müssen aufgrund der Coronakrise stärkere Hygienemaßnahmen umsetzen. Dazu zählt auch die Bereitstellung von Desinfektionsmittel. Für viele ist es daher wohl wenig überraschend, wenn sich im E-Mail-Posteingang eine Rechnung für bestellte Desinfektionsmittel findet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-rechnung-fuer-desinfekti… ===================== = Vulnerabilities = ===================== ∗∗∗ Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities ∗∗∗ --------------------------------------------- In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates). --------------------------------------------- https://lwn.net/Articles/844948/ ∗∗∗ Recent root-giving Sudo bug also impacts macOS ∗∗∗ --------------------------------------------- A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account. --------------------------------------------- https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-maco… ∗∗∗ Cisco Security Advisories 2021-02-03 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security Advisory - Improper Resource Management Vulnerability in eUDC660 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Information Processing Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Huawei ManageOne Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210202-… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a remote code execution vulnerability (CVE-2020-4682) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 affected by Apache Cassandra vulnerability (CVE-2020-13946) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind vulnerability CVE-2021-20190 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-vulnerab… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Cloud Pak For Security vulnerable to potential information disclosure through HTTP headers (CVE-2020-4967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into command log files (CVE-2020-4889) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF) (CVE-2020-4787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability (CVE-2020-4165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection Vulnerability (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Bouncy Castle Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bouncy-castle-vulnerabili… ∗∗∗ February 2, 2021 TNS-2021-01 [R1] Nessus AMI 8.13.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-01 ∗∗∗ Linux kernel vulnerability CVE-2020-14385 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84900646 ∗∗∗ D-LINK Router DNS-320: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0122 ∗∗∗ Rockwell Automation MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-01 ∗∗∗ Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 ∗∗∗ 2019-08Hirschmann RSP, RSPE, and OS2 series HSR denial of service vulnerability ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12276-sour… ∗∗∗ 2021-02ICX35 Local Web Based Configuration Interface Password Set ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12277-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2021
by Daily end-of-shift report 02 Feb '21

02 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-02-2021 18:00 − Dienstag 02-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Linux malware steals SSH credentials from supercomputers ∗∗∗ --------------------------------------------- A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-steals-ssh… ∗∗∗ Malicious script steals credit card info stolen by other hackers ∗∗∗ --------------------------------------------- A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-script-steals-cred… ∗∗∗ New Threat: Matryosh Botnet Is Spreading ∗∗∗ --------------------------------------------- On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirais characteristics. --------------------------------------------- https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/ ∗∗∗ New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd) ∗∗∗ --------------------------------------------- Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/27056 ∗∗∗ Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques ∗∗∗ --------------------------------------------- Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. --------------------------------------------- https://thehackernews.com/2021/02/agent-tesla-malware-spotted-using-new.html ∗∗∗ Operation Dream Job by Lazarus ∗∗∗ --------------------------------------------- Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot. --------------------------------------------- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html ∗∗∗ New Trickbot module uses Masscan for local network reconnaissance ∗∗∗ --------------------------------------------- The new Trickbot module is used to scan local networks for other nearby systems with open ports that could be hacked for quick lateral movement inside a company. --------------------------------------------- https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-ne… ∗∗∗ Microsoft tracked a system sending a million malware emails a month. Heres what it discovered ∗∗∗ --------------------------------------------- Emerging attacker email infrastructure now sends over a million malware-laden emails each month. --------------------------------------------- https://www.zdnet.com/article/microsoft-tracked-a-system-sending-a-million-… ∗∗∗ Operation NightScout: Supply‑chain attack targets online gaming in Asia ∗∗∗ --------------------------------------------- ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia. --------------------------------------------- https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain… ∗∗∗ Gewinnspiel im Namen von Hofer führt in Abo-Falle ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Hofer aus und informieren via E-Mail über einen angeblichen Gewinn. --------------------------------------------- https://www.watchlist-internet.at/news/gewinnspiel-im-namen-von-hofer-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/125331 ∗∗∗ DSA-4843 linux - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. --------------------------------------------- https://www.debian.org/security/2021/dsa-4843 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/apple-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu). --------------------------------------------- https://lwn.net/Articles/844865/ ∗∗∗ Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks ∗∗∗ --------------------------------------------- Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild. --------------------------------------------- https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-expl… ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2021
by Daily end-of-shift report 01 Feb '21

01 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-01-2021 18:00 − Montag 01-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st) ∗∗∗ --------------------------------------------- Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised. The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches. But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol". --------------------------------------------- https://isc.sans.edu/diary/rss/27054 ∗∗∗ Hintermänner der Fonix-Ransomware geben auf und veröffentlichen Master-Schlüssel ∗∗∗ --------------------------------------------- Opfer des Verschlüsselungstrojaner Fonix sehen Licht am Ende des Tunnels. --------------------------------------------- https://heise.de/-5041914 ∗∗∗ SonicWall zero-day exploited in the wild ∗∗∗ --------------------------------------------- Security firm NCC Group said it detected "indiscriminate" exploitation of a mysterious SonicWall zero-day. --------------------------------------------- https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/ ∗∗∗ Shodan Verified Vulns 2021-02-01 ∗∗∗ --------------------------------------------- Wieder ist ein Monat vergangen und damit auch wieder die Zeit gekommen, um einen Blick auf Shodans Daten zu den Verified Vulnerabilities in Österreich zu werfen. --------------------------------------------- https://cert.at/de/aktuelles/2021/2/shodan-verified-vulns-2021-02-01 ∗∗∗ Trickbot feiert Comeback ∗∗∗ --------------------------------------------- Kaum ist die Freude über die Zerschlagung von Emotet verklungen, feiert ein anderes Malware-Netzwerk namens Trickbot nach einigen Monaten Stille ein Comeback. --------------------------------------------- https://www.zdnet.de/88393163/trickbot-feiert-comeback/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges. [...] Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WordPress-Plug-in Popup Builder: Angreifer könnten Newsletter verschicken ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das WordPress-Plug-in Popup Builder. --------------------------------------------- https://heise.de/-5041788 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox, rubygem-nokogiri) and Ubuntu (mysql-5.7, mysql-8.0, python-django). --------------------------------------------- https://lwn.net/Articles/844749/ ∗∗∗ Sudo vulnerability CVE-2021-3156 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K86488846?utm_source=f5support&utm_mediu… ∗∗∗ Critical vulnerability in Apple iOS WebKit browser components can impact users of the BIG-IP APM F5 Access client ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58149033?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2021
by Daily end-of-shift report 29 Jan '21

29 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-01-2021 18:00 − Freitag 29-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Perl.com domain stolen, now using IP address tied to malware ∗∗∗ --------------------------------------------- The domain name perl.com was stolen this week and is now points to an IP address associated with malware campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/perlcom-domain-stolen-now-us… ∗∗∗ A Look at iMessage in iOS 14 ∗∗∗ --------------------------------------------- On December 20, Citizenlab published “The Great iPwn”, detailing how “Journalists [were] Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit”. Of particular interest is the following note: “We do not believe that [the exploit] works against iOS 14 and above, which includes new security protections''. Given that it is also now almost exactly one year ago since we published the Remote iPhone Exploitation blog post series, in which we described how an iMessage 0-click exploit can work in practice and gave a number of suggestions on how similar attacks could be prevented in the future, now seemed like a great time to dig into the security improvements in iOS 14 in more detail and explore how Apple has hardened their platform against 0-click attacks. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14… ∗∗∗ Sensitive Data Shared with Cloud Services, (Fri, Jan 29th) ∗∗∗ --------------------------------------------- Yesterday was the data protection day in Europe. I was not on duty so Im writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild: 14GB compressed, 77M credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/27042 ∗∗∗ Attacks on Individuals Fall as Cybercrime Shifts Tactics ∗∗∗ --------------------------------------------- Cybercriminals shifted away from stealing individual consumers’ information in 2020 to focus on bigger, more profitable attacks on businesses, according to a report from the Identity Theft Resource Center. --------------------------------------------- https://www.securityweek.com/attacks-individuals-fall-cybercrime-shifts-tac… ∗∗∗ Identitätsdiebstahl durch betrügerische Jobangebote boomen! ∗∗∗ --------------------------------------------- Der Arbeitsmarkt in Österreich ist weiterhin angespannt. Das macht sich auch im Bereich des Internetbetrugs bemerkbar. So melden unsere LeserInnen immer wieder, dass sie bei der Suche nach einem Nebenverdienst auf ein betrügerisches Job-Angebot gestoßen sind. Das Ziel hinter dieser Betrugsmasche: Die BetrügerInnen versuchen die Identität der Opfer zu klauen, manchmal wird auch ein Konto im Namen der Betroffenen eröffnet. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-durch-betrueger… ∗∗∗ Don’t stop at alert(1): Demonstrate impact with low severity bugs ∗∗∗ --------------------------------------------- When trying to discover vulnerabilities in a web application, you may not always come across high or critical severity bugs, and only end up finding low-medium severity issues like cross-site scripting (XSS). When that is the case, it is worth seeing how far those bugs can take you, since low severity vulnerabilities can still have a large effect when leveraged as part of a more impactful attack chain. --------------------------------------------- https://medium.com/tenable-techblog/dont-stop-at-alert-1-demonstrate-impact… ===================== = Vulnerabilities = ===================== ∗∗∗ Libgcrypt: Warnung vor schwerem Fehler in GnuPG-Kryptobibliothek ∗∗∗ --------------------------------------------- Die jüngste Version der Verschlüsselungsbibliothek Libgcrypt, die unter anderem von GnuPG verwendet wird, soll eine schwere Sicherheitslücke haben. --------------------------------------------- https://www.golem.de/news/libgcrypt-warnung-vor-schwerem-fehler-in-gnupg-kr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java). --------------------------------------------- https://lwn.net/Articles/844521/ ∗∗∗ Rockwell Automation FactoryTalk Linx and FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for Classic Buffer overflow, and Improper Check or Handling of Exceptional Conditions vulnerabilities in Rockwell Automations FactoryTalk Linx and FactoryTalk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-028-01 ∗∗∗ SSA-520004: Telnet Authentication Vulnerability in SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-520004.txt ∗∗∗ Linksys Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2021
by Daily end-of-shift report 28 Jan '21

28 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-01-2021 18:00 − Donnerstag 28-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th) ∗∗∗ --------------------------------------------- Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal). --------------------------------------------- https://isc.sans.edu/diary/rss/27036 ∗∗∗ Italy CERT Warns of a New Credential Stealing Android Malware ∗∗∗ --------------------------------------------- Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. --------------------------------------------- https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html ∗∗∗ CISA Malware Analysis on Supernova ∗∗∗ --------------------------------------------- CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/27/cisa-malware-anal… ∗∗∗ Pro-Ocean: Rocke Group’s New Cryptojacking Malware ∗∗∗ --------------------------------------------- In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero. --------------------------------------------- https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojackin… ∗∗∗ US and Bulgarian authorities disrupt NetWalker ransomware operation ∗∗∗ --------------------------------------------- Authorities seize dark web domains, charge a Canadian, and seize $454,000 in cryptocurrency. --------------------------------------------- https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalke… ∗∗∗ Stack Overflow: Heres what happened when we were hacked back in 2019 ∗∗∗ --------------------------------------------- Company goes into detail on how a hacker used Overflows community knowledge-sharing to figure out how to hack it back in 2019. --------------------------------------------- https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome blocks 7 more ports to stop NAT Slipstreaming attacks ∗∗∗ --------------------------------------------- Google Chrome now blocks access to websites on an additional seven TCP ports to protect against the NAT Slipstreaming 2.0 vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-blocks-7-more-… ∗∗∗ The Wordfence 2020 WordPress Threat Report ∗∗∗ --------------------------------------------- Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress [...] --------------------------------------------- https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-… ∗∗∗ Windows Installer Local Privilege Escalation 0day Gets a Micropatch ∗∗∗ --------------------------------------------- On December 26, security researcher Abdelhamid Naceri published a blog post with a number of 0days in various security products and a local privilege escalation 0day in Windows Installer. --------------------------------------------- https://blog.0patch.com/2021/01/windows-installer-local-privilege.html ∗∗∗ Local Privilege Escalation 0day in PsExec Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/28/2021: Since our publication of micropatch for PsExec version 2.2, PsExec has been updated to versions 2.30, 2.31 and finally 2.32. where it still resides today. David was able to update his POC for each version so the current version 2.32. is still vulnerable to the same attack. --------------------------------------------- https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2,[...] --------------------------------------------- https://lwn.net/Articles/844366/ ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284205 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284202 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284206 ∗∗∗ JasPer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0100 ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0099 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2021
by Daily end-of-shift report 27 Jan '21

27 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-01-2021 18:00 − Mittwoch 27-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet Takedown: Wir informieren Betroffene in Österreich ∗∗∗ --------------------------------------------- In einer koordinierten Aktion von mehreren Strafverfolgungsbehörden wurde das Netzwerk rund um die Malware Emotet ausgeschaltet und übernommen. --------------------------------------------- https://cert.at/de/aktuelles/2021/1/emotet-takedown-wir-informieren-betroff… ∗∗∗ Heres how a researcher broke into Microsoft VS Codes GitHub ∗∗∗ --------------------------------------------- This month a researcher was awarded a bug bounty award of an undisclosed amount after he broke into the official GitHub repository of Microsoft Visual Studio Code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke… ∗∗∗ Linux malware uses open-source tool to evade detection ∗∗∗ --------------------------------------------- AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-malware-uses-open-sour… ∗∗∗ Phishing & Malspam with Leaf PHPMailer ∗∗∗ --------------------------------------------- It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment. --------------------------------------------- https://blog.sucuri.net/2021/01/phishing-malspam-with-leaf-phpmailer.html ∗∗∗ Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication ∗∗∗ --------------------------------------------- FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff… ∗∗∗ Vorsicht beim Online-Kauf von FFP2-Masken! ∗∗∗ --------------------------------------------- Auf den Webseiten givenic.com und quantheco.com werden günstige FFP2-Masken und weitere „COVID-19 Gesundheitstools“ angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-online-kauf-von-ffp2-m… ∗∗∗ LogoKit: Simple, Effective, and Deceptive ∗∗∗ --------------------------------------------- As sophisticated attacks dominate the headlines, its important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/logokit-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple critical patches fix in-the-wild iPhone exploits – update now! ∗∗∗ --------------------------------------------- Apple says. "Additional details available soon", which you can translate as "this one took us by surprise". So patch now! --------------------------------------------- https://nakedsecurity.sophos.com/2021/01/27/apple-critical-patches-fix-in-t… ∗∗∗ New Attack Could Let Remote Hackers Target Devices On Internal Networks ∗∗∗ --------------------------------------------- A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research. --------------------------------------------- https://thehackernews.com/2021/01/new-attack-could-let-remote-hackers.html ∗∗∗ New Docker Container Escape Bug Affects Microsoft Azure Functions ∗∗∗ --------------------------------------------- Cybersecurity researchers today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. --------------------------------------------- https://thehackernews.com/2021/01/new-docker-container-escape-bug-affects.h… ∗∗∗ Sicherheitsupdate: Tor Browser vor möglichen Schadcode-Attacken geschützt ∗∗∗ --------------------------------------------- Wer weiterhin anonym und sicher mit dem Tor Browser im Internet surfen möchte, sollte die aktuelle Version installieren. --------------------------------------------- https://heise.de/-5037561 ∗∗∗ Jetzt updaten: Kritische sudo-Lücke gewährt lokalen Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Über die zehn Jahre alte Lücke CVE-2021-3156 können lokale Angreifer Root-Rechte via sudo ohne sudo-Berechtigungen erlangen. --------------------------------------------- https://heise.de/-5037687 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo). --------------------------------------------- https://lwn.net/Articles/844184/ ∗∗∗ OS command injection vulnerability in multiple Infoscience Corporation log management tools ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41853173/ ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210127-… ∗∗∗ Mozilla Firefox und Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0093 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0097 ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0095 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01 ∗∗∗ Eaton EASYsoft (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 ∗∗∗ Mitsubishi Electric Multiple Products (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01 ∗∗∗ Denial of Service in Rexroth ID 200/C-ETH using EtherNet/IP Protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-775371.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2021
by Daily end-of-shift report 26 Jan '21

26 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-01-2021 18:00 − Dienstag 26-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Fun with NMAP NSE Scripts and DOH (DNS over HTTPS), (Mon, Jan 25th) ∗∗∗ --------------------------------------------- DOH (DNS over HTTPS) has been implemented into the various browsers over the last year or so, and there's a fair amount of support for it on public DNS services. Because it's encrypted and over TCP, the mantra of "because privacy" has carried the day it looks like. But why do network and system admins hate it so? --------------------------------------------- https://isc.sans.edu/diary/rss/27026 ∗∗∗ Apache Software Foundation: Mehr Projekte und mehr Sicherheitswarnungen ∗∗∗ --------------------------------------------- Der Security Report 2020 der Apache Software Foundation zeigt einen Zuwachs an relevanten Sicherheitswarnungen für die Projekte unter dem Dach der Stiftung. --------------------------------------------- https://heise.de/-5035647 ∗∗∗ SMS „Wir konnten Ihr Paket nicht liefern“ ist Betrug ∗∗∗ --------------------------------------------- „Wir konnten Ihr Paket nicht liefern“ lautet eine SMS von InfoTrack. Über den angeführten Link gelangen Sie zu einer Aufforderung, 1 Euro für den Versand zu bezahlen. Doch Vorsicht: Bei dieser Benachrichtigung handelt es sich um eine Betrugsmasche. Wer diese Gebühr bezahlt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/sms-wir-konnten-ihr-paket-nicht-lief… ∗∗∗ New Variant of Ursnif Continuously Targeting Italy ∗∗∗ --------------------------------------------- Ursnif is a well-known banking Trojan with a large number of variants providing a diverse set of capabilities. A report from Fortinet analyzes a new variant of the malware specifically targeting users in Italy. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/669b7072b9792bc67a9d430517e… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt). --------------------------------------------- https://lwn.net/Articles/844054/ ∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Nagios Enterprises Nagios XI ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2021
by Daily end-of-shift report 25 Jan '21

25 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-01-2021 18:00 − Montag 25-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge, version 88 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 88! We have reviewed the settings in Microsoft Edge version 88 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 88 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Video: Doc & RTF Malicious Document, (Sun, Jan 24th) ∗∗∗ --------------------------------------------- I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files. --------------------------------------------- https://isc.sans.edu/diary/rss/27022 ∗∗∗ Scanning for Accessible MS-RDPEUDP services ∗∗∗ --------------------------------------------- We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet. --------------------------------------------- https://www.shadowserver.org/news/scanning-for-accessible-ms-rdpeudp-servic… ∗∗∗ RIFT: Analysing a Lazarus Shellcode Execution Method ∗∗∗ --------------------------------------------- After analysing the macro document, and pivoting on the macro, NCC Group’s RIFT identified a number of other similar documents. In these documents we came across an interesting technique being used to execute shellcode from VBA without the use of common “suspicious” APIs, such as VirtualAlloc, WriteProcessMemory or CreateThread – which may be detected by end point protection solutions. Instead, the macro documents abuse “benign” Windows API features toachieve code-execution. --------------------------------------------- https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode… ∗∗∗ Firewall-Hersteller SonicWall untersucht mögliche Zero-Day-Lücken in Produkten ∗∗∗ --------------------------------------------- Angreifer haben bislang unbekannte Lücken in SonicWall-Produkten ausgenutzt, um ins System des Herstellers einzudringen. --------------------------------------------- https://heise.de/-5033933 ∗∗∗ Von niedrig bis kritisch: Schwachstellenbewertung mit CVSS ∗∗∗ --------------------------------------------- Das Common Vulnerability Scoring System hilft bei der Bewertung von Schwachstellen. Wir erklären Funktionsweise und Grenzen des Systems. --------------------------------------------- https://heise.de/-5031983 ∗∗∗ DNSpooq: Wie sehr spukts in Österreich? ∗∗∗ --------------------------------------------- Am 2021-01-19 veröffentlichte JSOF eine Reihe von Schwachstellen in dnsmasq, einer populären DNS-Resolver Software für kleine Netzwerke. Ihr Blogpost dazu fasst diese Lücken unter dem Namen “DNSpooq" zusammen und beschreibt zwei mögliche Angriffsszenarien: ... --------------------------------------------- https://cert.at/de/aktuelles/2021/1/dnspooq-wie-sehr-spukts-in-osterreich ∗∗∗ Rückblick auf das letzte Drittel 2020 ∗∗∗ --------------------------------------------- Vorfälle und Aussendungen: ZeroLogon, Emotet, Microsoft Exchange CVE-2020-0688, Windows Server ohne Support, Ungepatchte Sophos Firewall XG Instanzen, SonicOS DoS und RCE, cit0day Leak, Ein Leak kommt selten allein, ... --------------------------------------------- https://cert.at/de/blog/2021/1/ruckblick-auf-das-letzte-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry Powered by Android Security Bulletin - January 2021 ∗∗∗ --------------------------------------------- This advisory is in response to the Android Security Bulletin (January 2021) and addresses issues in that Security Bulletin that affect BlackBerry powered by Android smartphones. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (ImageMagick, hawk2, mutt, permissions, stunnel) and Ubuntu (pound). --------------------------------------------- https://lwn.net/Articles/843855/ ∗∗∗ Cisco DNA Center Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Synology-SA-21:01 DNSpooq ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2021
by Daily end-of-shift report 22 Jan '21

22 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-01-2021 18:00 − Freitag 22-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd) ∗∗∗ --------------------------------------------- When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the .jnlp extension. --------------------------------------------- https://isc.sans.edu/diary/rss/27018 ∗∗∗ Magento PHP Injection Loads JavaScript Skimmer ∗∗∗ --------------------------------------------- A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files. --------------------------------------------- https://blog.sucuri.net/2021/01/magento-php-injection-loads-javascript-skim… ∗∗∗ Project Zero: Windows Exploitation Tricks: Trapping Virtual Memory Access ∗∗∗ --------------------------------------------- This blog is a continuation of my series of Windows exploitation tricks. This one describes an exploitation trick I’ve been trying to develop for years, succeeding (mostly, more on that later) on the latest versions of Windows 10. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/windows-exploitation-tricks-… ∗∗∗ Crypto-Miner Dovecat hat es auf Netz-Speicher von Qnap und Synology abgesehen ∗∗∗ --------------------------------------------- Aktuelle Sicherheitshinweise sollen Netzwerkspeicher (NAS) von Qnap und Synology schützen. --------------------------------------------- https://heise.de/-5032679 ∗∗∗ New website launched to document vulnerabilities in malware strains ∗∗∗ --------------------------------------------- Launched by security researcher John Page, the new MalVuln website lists bugs in malware code. --------------------------------------------- https://www.zdnet.com/article/new-website-launched-to-document-vulnerabilit… ∗∗∗ A look at the NIS 2.0 Recitals ∗∗∗ --------------------------------------------- The EU commission dropped a large cyber security package on December 16th 2020, including a first draft for a new version of the NIS Directive. In front of the actual normative legal text, there are 84 recitals, describing the intents of the regulation. --------------------------------------------- https://cert.at/en/blog/2021/1/nis2-recitals-feedback ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 ∗∗∗ --------------------------------------------- Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN38248512/ ∗∗∗ Mehrere Schwachstellen in Selea CarPlateServern und Selea Targa IP OCR-ANPR Kameras ∗∗∗ --------------------------------------------- Zeroscience hat diverse Schwachstellen in zwei Produkten der Firma Selea gefunden. Bei beiden wurden unter anderem Möglichkeiten gefunden, fremden Code auszuführen. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ 0day in Windows 7 and Server 2008 R2 Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/22/2021: This vulnerability did not get patched by December 2020 or January 2021 Extended Security Updates, so we ported our micropatch to these updates. --------------------------------------------- https://blog.0patch.com/2020/11/0day-in-windows-7-and-server-2008-r2.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack). --------------------------------------------- https://lwn.net/Articles/843571/ ∗∗∗ Windows RDP servers are being abused to amplify DDoS attacks ∗∗∗ --------------------------------------------- Windows RDP servers running on UDP port 3389 can be ensnared in DDoS botnets and abused to bounce and amplify junk traffic towards victim networks. --------------------------------------------- https://www.zdnet.com/article/windows-rdp-servers-are-being-abused-to-ampli… ∗∗∗ Delta Electronics ISPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use After Free vulnerability in Delta Electronics ISPSoft PLC program development tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-01 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, and Out-of-bounds Write vulnerabilities in Delta Electronics TPEditor programming software for Delta text panels. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-02 ∗∗∗ Honeywell OPC UA Tunneller ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Out-of-bounds Read, Improper Check for Unusual or Exceptional Conditions, and Uncontrolled Resource Consumption vulnerabilities in Honeywells OPC UA Tunneller software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03 ∗∗∗ Mitsubishi Electric MELFA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electrics MELFA robot controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-04 ∗∗∗ WAGO M&M Software fdtCONTAINER ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in the M&M (a WAGO subsidiary) fdtCONTAINER application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to a denial of service attack (CVE-2020-4766) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects GCM16 & GCM32 KVM Switch Firmware (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple Mozilla Firefox vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Security Vulnerability in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2021
by Daily end-of-shift report 21 Jan '21

21 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-01-2021 18:00 − Donnerstag 21-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop ∗∗∗ --------------------------------------------- One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for? --------------------------------------------- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solor… ∗∗∗ Powershell Dropping a REvil Ransomware, (Thu, Jan 21st) ∗∗∗ --------------------------------------------- I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. --------------------------------------------- https://isc.sans.edu/diary/rss/27012 ∗∗∗ Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw ∗∗∗ --------------------------------------------- A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020. --------------------------------------------- https://www.securityweek.com/scanning-activity-detected-after-release-explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/843413/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are affected by vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser (CVE-2018-1311) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in gencore affects AIX (CVE-2020-4887) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gencore-… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in Google Guava affects WebSphere Service Registry and Repository (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-g… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4969) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Rational Test Control Panel affected by Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-test-control-pan… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4958) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ XSA-360 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-360.html ∗∗∗ Drupal: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0081 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2021
by Daily end-of-shift report 20 Jan '21

20 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-01-2021 18:00 − Mittwoch 20-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Qakbot activity resumes after holiday break, (Wed, Jan 20th) ∗∗∗ --------------------------------------------- It had been relatively quiet for Qakbot until Tuesday 2021-01-19, when we started seeing malicious spam (malspam) pushing Qakbot again. --------------------------------------------- https://isc.sans.edu/diary/rss/27008 ∗∗∗ Google Poject Zero: The State of State Machines ∗∗∗ --------------------------------------------- On January 29, 2019, a serious vulnerability was discovered in Group FaceTime. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.… ∗∗∗ Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments ∗∗∗ --------------------------------------------- A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-target… ∗∗∗ Abuse.ch URLhaus als neue Datenquelle für unsere Aussendungen aufgenommen ∗∗∗ --------------------------------------------- Seit Mittwoch, 13. Jänner 2020 senden wir die Daten der URLhaus Feeds des abuse.ch-Projekts in unseren regelmäßigen Benachrichtigungen an Netzbetreiber aus. Die Feeds umfassen URLs, die Malwaredateien diverser Schadsoftwarefamilien hosten. --------------------------------------------- https://cert.at/de/blog/2021/1/abusech-urlhaus-als-neue-datenquelle-fur-uns… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 329 new security patches. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2021.html ∗∗∗ Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 ∗∗∗ --------------------------------------------- In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-harden… ∗∗∗ Cisco Security Advisories 2021-01-20 ∗∗∗ --------------------------------------------- 4 Critical, 9 High, 18 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Rechteausweitung: Kritische Lücke in älteren iOS- und macOS-Versionen ∗∗∗ --------------------------------------------- Der Bug in Apples XPC-Schnittstelle lässt sich ausnutzen, um erweiterte Rechte zu erlangen, warnt ein Sicherheitsforscher. --------------------------------------------- https://heise.de/-5030842 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (coturn, dovecot, glibc, and sudo), Mageia (openldap and resource-agents), openSUSE (dnsmasq, python-jupyter_notebook, viewvc, and vlc), Oracle (dnsmasq and xstream), SUSE (perl-Convert-ASN1, postgresql, postgresql13, and xstream), and Ubuntu (nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, pillow, pyxdg, and thunderbird). --------------------------------------------- https://lwn.net/Articles/843255/ ∗∗∗ Two Vulnerabilities in Bosch Fire Monitoring System (FSM) ∗∗∗ --------------------------------------------- BOSCH-SA-332072-BT: Two vulnerabilties have been discovered affecting the Bosch Fire Monitoring System (FSM-2500 and FSM-5000). The critical issue applies to FSM systems with versions 5.2 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-332072-bt.html ∗∗∗ Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Inconsistent Interpretation of HTTP Requests Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210120-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210120-… ∗∗∗ Intel Ethernet 700 Series Controllers vulnerabilities CVE-2020-8690, CVE-2020-8691, CVE-2020-8692, and CVE-2020-8693 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28563873 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0057 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2021
by Daily end-of-shift report 19 Jan '21

19 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-01-2021 18:00 − Dienstag 19-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Linux Devices Under Attack by New FreakOut Malware ∗∗∗ --------------------------------------------- The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks. --------------------------------------------- https://threatpost.com/linux-attack-freakout-malware/163137/ ∗∗∗ Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims networks—which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks. --------------------------------------------- https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html ∗∗∗ Jetzt neues Passwort vergeben! OpenWrt-Forum gehackt ∗∗∗ --------------------------------------------- Angreifer konnten auf Nutzerdaten des OpenWrt-Forums zugreifen. Dort tauschen sich Nutzer des alternativen Betriebssystems u.a. für Router aus. --------------------------------------------- https://heise.de/-5028697 ∗∗∗ Three Word Passwords ∗∗∗ --------------------------------------------- The National Cyber Security Centre (NCSC) have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords? --------------------------------------------- https://www.pentestpartners.com/security-blog/three-word-passwords/ ∗∗∗ All That for a Coinminer? ∗∗∗ --------------------------------------------- A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets ... --------------------------------------------- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/ ===================== = Vulnerabilities = ===================== ∗∗∗ DNSpooq: Mehrere Sicherheitslücken in Dnsmasq ∗∗∗ --------------------------------------------- Die IT-Sicherheitsfirma JSOF berichtet über mehrere Sicherheitslücken in der DNS-Serversoftware Dnsmasq, die sie DNSpooq genannt hat. Dabei handelt es sich um zwei zunächst völlig unterschiedliche Klassen von Problemen: Buffer Overflows in der Verarbeitung von DNSSEC-Records und einen unzureichenden Schutz vor DNS-Spoofing-Angriffen. ... Dnsmasq hat die entsprechenden Lücken in Version 2.83 geschlossen. Doch in vielen Fällen dürfte es schwer sein, Updates zu installieren. Dnsmasq wird sehr häufig in Embedded-Geräten und auch auf Android-Telefonen eingesetzt - also auf den Geräten, für die es häufig keine regelmäßigen Sicherheitsupdates gibt. Die Webseite von DNSpooq listet eine ganze Reihe von betroffenen Herstellern sowie deren Security-Advisories auf, die Liste dürfte aber unvollständig sein. --------------------------------------------- https://www.golem.de/news/dnspooq-mehrere-sicherheitsluecken-in-dnsmasq-210… ∗∗∗ Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Universal Plug and Play (UPnP) service and the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow a remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has not released software updates that address these vulnerabilities. There are no workarounds --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow). --------------------------------------------- https://lwn.net/Articles/843142/ ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Confluence ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0052 ∗∗∗ Philips Interventional Workstations ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01 ∗∗∗ Reolink P2P Cameras ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-019-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2021
by Daily end-of-shift report 18 Jan '21

18 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-01-2021 18:00 − Montag 18-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Antivirus: Das Jahr der unsicheren Sicherheitssoftware ∗∗∗ --------------------------------------------- Sicherheitssoftware soll uns eigentlich schützen, doch das vergangene Jahr hat erneut gezeigt: Statt Schutz gibt es Sicherheitsprobleme frei Haus. --------------------------------------------- https://www.golem.de/news/antivirus-das-jahr-der-unsicheren-sicherheitssoft… ∗∗∗ Medical Device Security: Diagnosis Critical ∗∗∗ --------------------------------------------- Medical-device security has long been a challenge, suffering the same uphill management battle that the entire sprawling mess of IoT gadgets has faced. --------------------------------------------- https://threatpost.com/medical-device-security/163127/ ∗∗∗ Obfuscated DNS Queries, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- This week I started seeing some URL with /dns-query?dns in my honeypot. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve. --------------------------------------------- https://isc.sans.edu/diary/rss/26992 ∗∗∗ New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th) ∗∗∗ --------------------------------------------- Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity. --------------------------------------------- https://isc.sans.edu/diary/rss/26994 ∗∗∗ Doc & RTF Malicious Document, (Mon, Jan 18th) ∗∗∗ --------------------------------------------- A reader pointed us to a malicious Word document. --------------------------------------------- https://isc.sans.edu/diary/rss/26996 ∗∗∗ NSA Releases Guidance on Encrypted DNS in Enterprise Environments ∗∗∗ --------------------------------------------- Original release date: January 15, 2021The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/nsa-releases-guid… ∗∗∗ Skimming: Schaden durch Datenklau an Geldautomaten auf Rekordtief ∗∗∗ --------------------------------------------- Experten halten den Datenklau an Geldautomaten in Deutschland für ein Auslaufmodell. Sowohl Zahl der Angriffe als auch Schäden sanken 2020 auf Rekordtief. --------------------------------------------- https://heise.de/-5026975 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-072: NETGEAR R7450 SOAP API RecoverAdminPassword Improper Access Control Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-072/ ∗∗∗ ZDI-21-071: NETGEAR R7450 Password Recovery External Control of Critical State Data Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-071/ ∗∗∗ ZDI-21-070: Apple macOS CoreGraphics Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-070/ ∗∗∗ ZDI-21-069: Apple macOS process_token_BlitLibSetup2D Out-Of-Bounds Write Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-069/ ∗∗∗ Kritische Admin-Lücke in Wordpress-Plug-in Orbit Fox ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das Wordpress-Plug-in Orbit Fox. --------------------------------------------- https://heise.de/-5027252 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flatpak, ruby-redcarpet, and wavpack), Fedora (dia, mingw-openjpeg2, and openjpeg2), Mageia (awstats, bison, cairo, kernel, kernel-linus, krb5, nvidia-current, nvidia390, php, and thunderbird), openSUSE (cobbler, firefox, kernel, libzypp, zypper, nodejs10, nodejs12, and nodejs14), Scientific Linux (thunderbird), Slackware (wavpack), SUSE (kernel, nodejs8, open-iscsi, openldap2, php7, php72, php74, slurm_20_02, and thunderbird), and Ubuntu (ampache,[...] --------------------------------------------- https://lwn.net/Articles/842834/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit,[...] --------------------------------------------- https://lwn.net/Articles/843054/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11 (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Websphere Hibernate Validator Vulnerability Affects IBM Control Center (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-hibernate-valid… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: Apache ActiveMQ Vulnerability Affects IBM Control Center (CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-activemq-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2021
by Daily end-of-shift report 15 Jan '21

15 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-01-2021 18:00 − Freitag 15-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ErpresserInnen kennen Ihre persönlichen Daten? Nicht einschüchtern lassen! ∗∗∗ --------------------------------------------- Immer wieder werden uns erpresserische E-Mails gemeldet, in denen persönliche Daten der Betroffenen genannt werden. Aktuell ist eine Erpressungsmail im Umlauf, in der die Kriminellen vorgeben einiges über die EmpfängerInnen zu wissen. Als Beweis geben sie die Adresse und die Telefonnummer an. Auch wenn dieses Wissen verunsichert, sollten Sie sich nicht einschüchtern lassen und die Forderungen der ErpresserInnen ignorieren. --------------------------------------------- https://www.watchlist-internet.at/news/erpresserinnen-kennen-ihre-persoenli… ∗∗∗ Hunting for Bugs in Windows Mini-Filter Drivers ∗∗∗ --------------------------------------------- In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers (CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17139). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I’ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-… ∗∗∗ Cyber Security advice for Finance staff ∗∗∗ --------------------------------------------- Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and finance training and education. When I [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-advice-for-fin… ∗∗∗ Throwback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26990 ===================== = Vulnerabilities = ===================== ∗∗∗ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 ∗∗∗ --------------------------------------------- Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/01/14/netlogon-domain-controller-e… ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/apache-releases-s… ∗∗∗ ZDI-21-068: Panasonic Control FPWIN Pro Project File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panasonic Control FPWIN Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-068/ ∗∗∗ Mitsubishi Electric Factory Automation Products Path Traversal (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-20-212-03 Mitsubishi Electric Factory Automation Products Path Traversal that was published July 30, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Path Traversal vulnerability in Mitsubishi Electric Factory Automation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-03 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update A) that was published November 5, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Unquoted Search Path or Element vulnerability in Mitsubishi Electric Factory Automation Engineering products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Malicious file upload and download could affect Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-malicious-file-upload-and… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerability in Google Web Toolkit may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2012-5920 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily