- Daily - CERT.at

Tageszusammenfassung - 11.05.2021
by Daily end-of-shift report 11 May '21

11 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 10-05-2021 18:00 − Dienstag 11-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI aktualisiert den Mindeststandard zur Verwendung von Transport Layer Security (TLS) ∗∗∗ --------------------------------------------- Die neue Version 2.2 des Mindeststandards berücksichtigt die aktuellen Empfehlungen der technischen Richtlinien des BSI (TR 02102-2, TR 03116-4) und thematisiert den Umgang mit TLS-Protokoll-Versionen und kryptografischen Verfahren, die nicht den Vorgaben des Mindeststandards entsprechen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Gefälschtes E-Mail der bank99 im Umlauf ∗∗∗ --------------------------------------------- Ihr bank99-Konto wurde angeblich gesperrt, weil Sie Ihre Identität nicht bestätigt haben? Vorsicht, diese Kundenmitteilung ist gefälscht. Kriminelle fälschen bank99-E-Mails, um an Ihre Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den "Vorgang starten"-Link. Sie werden auf eine nachgebaute Login-Website geleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-der-bank99-im-um… ∗∗∗ US and Australia warn of escalating Avaddon ransomware attacks ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-australia-warn-of-esc… ∗∗∗ TeaBot: a new Android malware emerged in Italy, targets banks in Europe ∗∗∗ --------------------------------------------- [...] At the beginning of January 2021, a new Android banker started appearing and it was discovered and analysed by our Threat Intelligence and Incident Response (TIR) team. Since lack of information and the absence of a proper nomenclature of this Android banker family, we decide to dub it as TeaBot to better track this family inside our internal Threat Intelligence taxonomy. --------------------------------------------- https://www.cleafy.com/documents/teabot ∗∗∗ Beware of Applications Misusing Root Stores ∗∗∗ --------------------------------------------- We have been alerted about applications that use the root store provided by Mozilla for purposes other than what Mozilla’s root store is curated for. [...] Applications that use Mozilla’s root store for a purpose other than that have a critical security vulnerability. --------------------------------------------- https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusin… ∗∗∗ DarkSide Malware Profile ∗∗∗ --------------------------------------------- The following report provides X-Force Threat Intelligences analysis of the DarkSide ransomware family based on publicly available samples. Summary: DarkSide, like other ransomware used in targeted attacks, encrypts user data in compromised computers. Recent variants of DarkSide ransomware enumerates various system properties of the victim and beacons them in an encoded POST request to its C2 address. DarkSide also executes an encoded PowerShell command to delete volume shadow copies. It deletes [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/06d0917405c36ca91f5db1fe0c0… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hivex), Fedora (djvulibre and thunderbird), openSUSE (monitoring-plugins-smart and perl-Image-ExifTool), Oracle (kernel and kernel-container), Red Hat (kernel and kpatch-patch), SUSE (drbd-utils, java-11-openjdk, and python3), and Ubuntu (exiv2, firefox, libxstream-java, and pyyaml). --------------------------------------------- https://lwn.net/Articles/855995/ ∗∗∗ Synology-SA-21:19 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_19 ∗∗∗ Citrix Workspace App Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified that could result in a local user escalating their privilege level to SYSTEM on the computer running Citrix Workspace app for Windows. --------------------------------------------- https://support.citrix.com/article/CTX307794 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/google-releases-s… ∗∗∗ Reflected XSS Vulnerability in SIS Infromatik - Rewe Go ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infrom… ∗∗∗ SAP Patchday Mai ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0496 ∗∗∗ 2020-10Password Change Authentication Bypass Vulnerability in HiOS & HiSecOS ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=12914&mediaformat… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed an information disclosure vulnerability (CVE-2020-4536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a cross-site scripting vulnerability (CVE-2020-4535) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ SSA-854248: Information Disclosure Vulnerability in Mendix Excel Importer Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-854248.txt ∗∗∗ SSA-752103: Telnet Authentication Vulnerability in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-752103.txt ∗∗∗ SSA-723417: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-723417.txt ∗∗∗ SSA-678983: Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-678983.txt ∗∗∗ SSA-676775: Denial-of-Service Vulnerability in SIMATIC NET CP 343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-676775.txt ∗∗∗ SSA-594364: Denial-of-Service Vulnerability in SNMP Implementation of WinCC Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594364.txt ∗∗∗ SSA-501073: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-501073.txt ∗∗∗ SSA-324955: SAD DNS Attack in Linux Based Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-324955.txt ∗∗∗ SSA-286838: Multiple Vulnerabilities in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-286838.txt ∗∗∗ SSA-116379: Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-116379.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2021
by Daily end-of-shift report 10 May '21

10 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-05-2021 18:00 − Montag 10-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th) ∗∗∗ --------------------------------------------- Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets. --------------------------------------------- https://isc.sans.edu/diary/rss/27404 ∗∗∗ Manipulierte Entwicklungsumgebung: Xcode-Malware war enorm verbreitet ∗∗∗ --------------------------------------------- Im Verfahren Epic gegen Apple kam heraus, dass 2015 fast 130 Millionen iPhone-Nutzer von "XcodeGhost" betroffen waren – in über 2500 Apps. --------------------------------------------- https://heise.de/-6041836 ∗∗∗ Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs ∗∗∗ --------------------------------------------- Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns. Lemon Duck remains relevant as the operators begin to target [...] --------------------------------------------- https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html ∗∗∗ Banking‑Trojaner Ousaban analysiert ∗∗∗ --------------------------------------------- In unserer Serie zu lateinamerikanischen Banking-Trojanern betrachten wir einen Vertreter mit komplexen Vertriebsweg --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/05/07/banking-trojaner-ousaban-… ∗∗∗ Colonial Pipeline Falls Victim to Attack ∗∗∗ --------------------------------------------- Summary A top U.S. fuel pipeline company has suffered a cyber attack that has forced them to halt operations. Several news sources and the company itself have confirmed the attack. Threat Type Cyber Attack Overview ** Update May 10 - 8:50 AM** The most recent reporting indicates that the attack likely involved DarkSide, a ransomware-as-a-service (RaaS) affiliate operation. DarkSide posted the following statement to their leak site following the attack: We are apolitical, we do not participate in [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/cc757925ae0fdf1689518a35128… ∗∗∗ SolarWinds says fewer than 100 customers were impacted by supply chain attack ∗∗∗ --------------------------------------------- Texas-based software firm SolarWinds downgraded the number of customers impacted by its 2020 supply chain attack from 18,000 to less than 100. --------------------------------------------- https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impac… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit Reader bug lets attackers run malicious code via PDFs ∗∗∗ --------------------------------------------- Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attack… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml2), Fedora (autotrace, babel, kernel, libopenmpt, libxml2, mingw-exiv2, mingw-OpenEXR, mingw-openexr, python-markdown2, and samba), openSUSE (alpine, avahi, libxml2, p7zip, redis, syncthing, and vlc), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/855909/ ∗∗∗ Linux kernel vulnerability CVE-2020-1749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02186513 ∗∗∗ Security Bulletin: IBM CloudPak foundational services (Events Operator) is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloudpak-foundational… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to CVE-2021-20538 and CVE-2021-20577 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js urijs module affects IBM Cloud Pak for Multicloud Management Infrastructure management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability (CVE-2021-20559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-control-desk-is-vulne… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Codec ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2021
by Daily end-of-shift report 07 May '21

07 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-05-2021 18:00 − Freitag 07-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cuba Ransomware partners with Hancitor for spam-fueled attacks ∗∗∗ --------------------------------------------- The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-partners-wit… ∗∗∗ MSM: Qualcomm-Modems in Millionen Smartphones angreifbar ∗∗∗ --------------------------------------------- Die Modems von Qualcomm könnten aus Android heraus angegriffen werden, um Gespräche mitzuhören. --------------------------------------------- https://www.golem.de/news/msm-qualcomm-modems-in-millionen-smartphones-angr… ∗∗∗ TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers ∗∗∗ --------------------------------------------- Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week. --------------------------------------------- https://www.securityweek.com/tsuname-vulnerability-can-be-exploited-ddos-at… ∗∗∗ Grill- und Gartensaison eröffnet: BetrügerInnen locken mit günstigen Angeboten! ∗∗∗ --------------------------------------------- Egal ob Werkzeuge zur Pflanzenpflege, ein neuer Griller, Terrassenmöbel oder ein Pool für den Garten: Mit steigenden Temperaturen, nimmt der Bedarf nach diesen Produkten zu. Natürlich lassen da auch BetrügerInnen nicht lange auf sich warten und locken mit günstigen Angeboten für die Grill- und Gartensaison. Wir zeigen Ihnen, wo Sie lieber nicht shoppen sollten! --------------------------------------------- https://www.watchlist-internet.at/news/grill-und-gartensaison-eroeffnet-bet… ∗∗∗ New Moriya rootkit stealthily backdoors Windows systems ∗∗∗ --------------------------------------------- Unknown attackers may have been quietly exploiting networks in attacks reaching back to 2018. --------------------------------------------- https://www.zdnet.com/article/new-moriya-rootkit-stealthily-backdoors-windo… ∗∗∗ LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks. SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error-prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. --------------------------------------------- https://www.darknet.org.uk/2021/05/libinjection-detect-sql-injection-sqli-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and unbound1.9), Fedora (djvulibre and samba), Mageia (ceph, messagelib, and pagure), openSUSE (alpine and exim), Oracle (kernel and postgresql), Scientific Linux (postgresql), and Ubuntu (thunderbird and unbound). --------------------------------------------- https://lwn.net/Articles/855744/ ∗∗∗ SYSS-2021-024: XSS-SCHWACHSTELLE IM PRODUKT ADISCON LOGANALYZER (CVE-2021-31738) ∗∗∗ --------------------------------------------- Die Loginmaske des Adiscon LogAnalyzer war anfällig für eine Reflected XSS-Schwachstelle. Der Hersteller hat diese bereits mit einem Patch behoben. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-024-xss-schwachstelle-im-produkt… ∗∗∗ ABB Cybersecurity Advisory - AC 800PEC platform NAME:WRECK vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A1892&Lan… ∗∗∗ ABB Cybersecurity Advisory - Cassia Access Controller for ABB ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108368&Language… ∗∗∗ Security Advisory - Out-of-Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2021-3177 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for Interac e-Transfers for Red Hat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for Digital Payments for RedHat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Information disclosure vulnerability may affect IBM Robotic Process Automation Anywher – CVE-2020-4901 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2021
by Daily end-of-shift report 06 May '21

06 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-05-2021 18:00 − Donnerstag 06-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RotaJakiro, the Linux version of the OceanLotus ∗∗∗ --------------------------------------------- On Apr 28, we published our RotaJakiro backdoor blog, at that time, we didn’t have the answer for a very important question, what is this backdoor exactly for? We asked the community for clues and two days ago we got a hint, PE(Thanks!) wrote the following comment on --------------------------------------------- https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/ ∗∗∗ Alternative Ways To Perform Basic Tasks, (Thu, May 6th) ∗∗∗ --------------------------------------------- I like to spot techniques used by malware developers to perform basic tasks. We know the lolbins[1] that are pre-installed tools used to perform malicious activities. Many lolbins are used, for example, to download some content from the Internet. Some tools are so powerful that they can also be used to perform unexpected tasks. --------------------------------------------- https://isc.sans.edu/diary/rss/27392 ∗∗∗ Strong, Secure Passwords Are Key to Helping Reduce Risk to Your Organization ∗∗∗ --------------------------------------------- Blog post on how to create strong, secure passwords to reduce risk to your organization. --------------------------------------------- https://www.sans.org/blog/strong-secure-passwords-are-key-to-helping-reduce… ∗∗∗ BSI veröffentlicht Whitepaper zum aktuellen Stand der Prüfbarkeit von KI-Systemen ∗∗∗ --------------------------------------------- Basierend auf einem vom BSI, vom Verband der TÜVs und vom Fraunhofer HHI ausgetragenen internationalen Expertenworkshop wurde ein Whitepaper zum aktuellen Stand, offenen Fragen und zukünftig wichtigen Aktivitäten bezüglich der Prüfbarkeit von KI-Systemen verfasst. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ TrickBot: Get to Know the Malware That Refuses to Be Killed ∗∗∗ --------------------------------------------- Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/trickbot/ ∗∗∗ Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software ∗∗∗ --------------------------------------------- The incident started with a student who didnt want to pay for a license and ended with the loss of research. --------------------------------------------- https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-researc… ∗∗∗ CISA Releases Analysis Reports on New FiveHands Ransomware ∗∗∗ --------------------------------------------- CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization. CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/06/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN: Angreifer könnten Admin-Accounts erstellen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Cisco. --------------------------------------------- https://heise.de/-6038258 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-django), Fedora (java-latest-openjdk, libopenmpt, python-yara, skopeo, thunderbird, and yara), openSUSE (ceph and openexr), Red Hat (postgresql), SUSE (libxml2), and Ubuntu (exim4 and gnome-autoar). --------------------------------------------- https://lwn.net/Articles/855613/ ∗∗∗ Android users’ privacy at risk as Check Point Research identifies vulnerability on Qualcomm’s mobile station modems ∗∗∗ --------------------------------------------- Check Point Research (CPR) found a security vulnerability in Qualcomm’s mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world’s phones. If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them [...] --------------------------------------------- https://blog.checkpoint.com/2021/05/06/android-users-privacy-at-risk-as-che… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in FusionCompute Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506… ∗∗∗ Ruby on Rails: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0480 ∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0481 ∗∗∗ VMware vRealize Operations: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0489 ∗∗∗ ZDI-21-523: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-523/ ∗∗∗ ZDI-21-522: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-522/ ∗∗∗ ZDI-21-521: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-521/ ∗∗∗ ZDI-21-520: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-520/ ∗∗∗ Security Bulletin: Vulnerability in Fabric OS used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fabric-o… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8265) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java affecting IBM Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2021
by Daily end-of-shift report 05 May '21

05 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-05-2021 18:00 − Mittwoch 05-05-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Quick and dirty Python: masscan, (Tue, May 4th) ∗∗∗ --------------------------------------------- The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable. --------------------------------------------- https://isc.sans.edu/diary/rss/27384 ∗∗∗ Introducing Baserunner: a tool for exploring and exploiting Firebase datastores ∗∗∗ --------------------------------------------- In this post well be looking at some risks posed by Firebase, a popular serverless application platform. --------------------------------------------- https://iosiro.com/blog/baserunner-exploiting-firebase-datastores ∗∗∗ How Attackers Use Compromised Accounts to Create and Distribute Malicious OAuth Apps ∗∗∗ --------------------------------------------- Open authorization or “OAuth” apps add business features and user-interface enhancements to major cloud platforms such as Microsoft 365 and Google Workspace. Unfortunately, they’re also a new threat vector [...] --------------------------------------------- https://www.proofpoint.com/us/blog/email-and-cloud-threats/how-attackers-us… ∗∗∗ How to Stop the Popups ∗∗∗ --------------------------------------------- McAfee is tracking an increase in the use of deceptive popups that mislead some users into taking action, while annoying many others. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-to-stop-the-popups/ ∗∗∗ Tour de Peloton: Exposed user data ∗∗∗ --------------------------------------------- An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. --------------------------------------------- https://www.pentestpartners.com/security-blog/tour-de-peloton-exposed-user-… ∗∗∗ Wunderheilmittel Entgiftungspflaster? Vorsicht bei Bestellungen auf nuubu.com! ∗∗∗ --------------------------------------------- Die körperliche und psychische Gesundheit mit Hilfe eines Entgiftungspflasters steigern? Das verspricht die litauische Firma „UAB Ekomlita“, die die Webseite nuubu.com betreibt. Wir raten jedoch zu Vorsicht: Rechtliche Vorgaben werden nicht eingehalten. --------------------------------------------- https://www.watchlist-internet.at/news/wunderheilmittel-entgiftungspflaster… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Root-Lücken bedrohen Exim-Mail-Server ∗∗∗ --------------------------------------------- Bei einer Untersuchung des Codes von Exim sind Sicherheitsforscher auf 21 Sicherheitslücken gestoßen. Angreifer könnten ganze Server übernehmen. --------------------------------------------- https://heise.de/-6036724 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cgal, exim4, and mediawiki), Fedora (axel, libmicrohttpd, libtpms, perl-Image-ExifTool, pngcheck, python-yara, and yara), Gentoo (exim), Mageia (kernel-linus), openSUSE (bind and postsrsd), SUSE (avahi, openexr, p7zip, python-Pygments, python36, samba, sca-patterns-sle11, and webkit2gtk3), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450, nvidia-graphics-drivers-450-server,[...] --------------------------------------------- https://lwn.net/Articles/855462/ ∗∗∗ Advantech WISE-PaaS RMM ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Advantech WISE-PaaS RMM, a software platform focused on IoT device remote monitoring and management. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-124-01 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in Delta Electronics CNCSoft ScreenEditor software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-124-02 ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to insecure inter-deployment communication (CVE-2020-4979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Issues in IBM® Java™ SDK Technology Edition affects IBM Security Identity Manager Virtual Appliance (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-issues-in-ibm-java-sdk-te… ∗∗∗ Security Bulletin: IBM QRadar SIEM contains hard-coded credentials (CVE-2021-20401, CVE-2020-4932) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-contains-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting (XSS) (CVE-2020-4929) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache httpclient ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to path traversal (CVE-2020-4993) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM may be vulnerable to a XML External Entity Injection attack (XXE) (CVE-2020-5013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-may-be-vu… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Cross domain information disclosure (CVE-2020-4883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Apache Tomcat as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2020-13943) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-as-used-by-… ∗∗∗ CVE-2021-26900: Privilege Escalation Via a Use After Free Vulnerability In win32k ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-vi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2021
by Daily end-of-shift report 04 May '21

04 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 03-05-2021 18:00 − Dienstag 04-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webkit: Apple warnt vor Zero Days in iOS und MacOS ∗∗∗ --------------------------------------------- Die Apple-Lücken in Webkit werden wohl bereits aktiv ausgenutzt. Das Unternehmen stellt Updates bereit. --------------------------------------------- https://www.golem.de/news/webkit-apple-warnt-vor-zero-days-in-ios-2105-1562… ∗∗∗ 21Nails vulnerabilities impact 60% of the internet’s email servers ∗∗∗ --------------------------------------------- The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. --------------------------------------------- https://therecord.media/21nails-vulnerabilities-impact-60-of-the-internets-… ∗∗∗ Pingback: Backdoor At The End Of The ICMP Tunnel ∗∗∗ --------------------------------------------- In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at… ∗∗∗ RM3 - Curiosities of the wildest banking malware ∗∗∗ --------------------------------------------- TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis [...] --------------------------------------------- https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-m… ∗∗∗ Firebase Domain Front - Hiding C2 as App traffic ∗∗∗ --------------------------------------------- We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters --------------------------------------------- https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding… ∗∗∗ Jetzt patchen! Sicherheitsupdate für Pulse Connect Secure verfügbar ∗∗∗ --------------------------------------------- In einer aktualisierten Version der VPN-Software Pulse Connect Secure von Ivanti haben die Entwickler kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-6035501 ∗∗∗ ATT&CK v9 Introduces Containers, Google Workspace ∗∗∗ --------------------------------------------- MITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform. --------------------------------------------- https://www.securityweek.com/attck-v9-introduces-containers-google-workspace ∗∗∗ Anzügliche Sex-Nachrichten auf Facebook & Instagram: Dahinter steckt Betrug ∗∗∗ --------------------------------------------- Facebook- und Instagram-NutzerInnen kennen es: Freundschaftsanfragen oder Nachrichten von unbekannten, meist freizügig gekleideten Frauen. Auf Instagram werden NutzerInnen auch sehr häufig zu fragwürdigen Gruppen hinzugefügt oder von Unbekannten auf Bildern markiert. Dahinter stecken Fake-Profile oder Bots, die auf unseriöse Dating-Portale locken, Daten sammeln oder nach Zugangsdaten fischen. --------------------------------------------- https://www.watchlist-internet.at/news/anzuegliche-sex-nachrichten-auf-face… ∗∗∗ Three new malware families found in global finance phishing campaign ∗∗∗ --------------------------------------------- Doubledrag, Doubledrop, and Doubleback are the work of “experienced” threat actors. --------------------------------------------- https://www.zdnet.com/article/researchers-find-three-new-malware-families-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Aktiv ausgenutzte Lücken: Apple patcht iOS, macOS und watchOS ∗∗∗ --------------------------------------------- macOS 11.3.1, iOS 14.5.1 und watchOS 7.4.1 beheben ein akutes Sicherheitsproblem in Safari. Außerdem wird ein Bug beim iPhone-App-Tracking-Schutz gefixt. --------------------------------------------- https://heise.de/-6035220 ∗∗∗ Android-Patchday: Kritische System-Lücke gibt Angreifern die volle Kontrolle ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. --------------------------------------------- https://heise.de/-6035560 ∗∗∗ Xen Security Advisory CVE-2021-28689 / XSA-370 - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests ∗∗∗ --------------------------------------------- A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack against Xen, despite the presence hardware protections being active. It therefore might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-370.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba). --------------------------------------------- https://lwn.net/Articles/855308/ ∗∗∗ High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices ∗∗∗ --------------------------------------------- Owners of Dell devices were informed on Tuesday that a firmware update driver present on a large number of systems is affected by a series of high-severity vulnerabilities. --------------------------------------------- https://www.securityweek.com/high-severity-dell-driver-vulnerabilities-impa… ∗∗∗ Synology-SA-21:18 Hyper Backup ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Hyper Backup. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_18 ∗∗∗ Security Bulletin: Go is vulnerable to a denial of service on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-a-den… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with segmentation fault on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: GO is vulnerable to allows attacks on clients on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-allow… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: A vulnerability exists in the management GUI of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: TensorFlow is vulnerable to a heap-based buffer overflow on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-is-vulnerable-… ∗∗∗ Security Bulletin: GO security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-security-vulnerabiliti… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3049, CVE-2021-3050) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2021
by Daily end-of-shift report 03 May '21

03 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-04-2021 18:00 − Montag 03-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Babuk quits ransomware encryption, focuses on data-theft extortion ∗∗∗ --------------------------------------------- A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encry… ∗∗∗ Hacker-Wettbewerb Austria Cyber Security Challenge gestartet ∗∗∗ --------------------------------------------- Der IT-Security-Wettbewerb für Schüler*innen, Studierende und Interessierte feiert heuer sein 10-jähriges Jubiläum. --------------------------------------------- https://futurezone.at/digital-life/hacker-wettbewerb-austria-cyber-security… ∗∗∗ New Buer Malware Downloader Rewritten in E-Z Rust Language ∗∗∗ --------------------------------------------- Its coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground. --------------------------------------------- https://threatpost.com/buer-malware-loader-rewritten-rust/165782/ ∗∗∗ PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd) ∗∗∗ --------------------------------------------- Many SSH clients can remember SSH servers' fingerprints. This can serve as a safety mechanism: you get a warning when the server you want to connect to, has no longer the same fingerprint. And then you can decide what to do: continue with the connection, or stop and try to figure out what is going on. --------------------------------------------- https://isc.sans.edu/diary/rss/27376 ∗∗∗ Sicherheitslücke Spectre lebt neu auf: AMD- und Intel-Prozessoren betroffen ∗∗∗ --------------------------------------------- Ein neuer Seitenkanalangriff zielt auf die Micro-Op-Caches aller modernen CPUs von AMD und Intel ab, Ryzen 5000 und Rocket Lake-S eingeschlossen. --------------------------------------------- https://heise.de/-6034264 ∗∗∗ Windows 10: BSI stellt Sicherheitseinstellungen zur Verfügung ∗∗∗ --------------------------------------------- Das BSI hat im Rahmen der „Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10“ (SiSyPHuS Win10) Handlungsempfehlungen zur Absicherung der Windows-Systeme in deutscher und englischer Sprache veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Tesla Car Hacked Remotely From Drone via Zero-Click Exploit ∗∗∗ --------------------------------------------- Two researchers have shown how a Tesla - and possibly other cars - can be hacked remotely without any user interaction. They carried out the attack from a drone. --------------------------------------------- https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exp… ∗∗∗ Trickbot Brief: Creds and Beacons ∗∗∗ --------------------------------------------- “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal [...] --------------------------------------------- https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/ ∗∗∗ Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack ∗∗∗ --------------------------------------------- Swiss Cloud, a Switzerland-based cloud hosting provider, has suffered this week a ransomware attack that brought the companys server infrastructure to its knees. --------------------------------------------- https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider… ===================== = Vulnerabilities = ===================== ∗∗∗ Pulse Secure fixes VPN zero-day used to hack high-value targets ∗∗∗ --------------------------------------------- Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and govt agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-… ∗∗∗ 8 geben: Python-Standard-Library ignoriert das Oktalystem in IP-Adressen ∗∗∗ --------------------------------------------- Die Library ipaddress prüft IP-Adressen seit 2019 nicht mehr auf führende Nullen. Ein Patch ist in Sicht, aber noch nicht veröffentlicht. --------------------------------------------- https://heise.de/-6034508 ∗∗∗ SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin ∗∗∗ --------------------------------------------- On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all [...] --------------------------------------------- https://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, GNOME, java-1.8.0-openjdk, java-11-openjdk, nss and nspr, xstream, and xterm), Debian (bind9 and libimage-exiftool-perl), Fedora (ansible, babel, java-11-openjdk, and java-latest-openjdk), Gentoo (chromium, clamav, firefox, git, grub, python, thunderbird, tiff, webkit-gtk, and xorg-server), Mageia (kernel, nvidia-current, nvidia390, qtbase5, and sdl2), openSUSE (Chromium, cifs-utils, cups, giflib, gsoap, libnettle, librsvg, netdata, postsrsd, [...] --------------------------------------------- https://lwn.net/Articles/855217/ ∗∗∗ Synology-SA-21:16 ISC BIND ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology DNS Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_16 ∗∗∗ Synology-SA-21:17 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_17 ∗∗∗ Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php ∗∗∗ Epic Games Psyonix Rocket League v1.95 Insecure Permissions ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5650.php ∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2021
by Daily end-of-shift report 30 Apr '21

30 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-04-2021 18:00 − Freitag 30-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap-NAS mit veralteter Firmware fallen AgeLocker-Ransomware zum Opfer ∗∗∗ --------------------------------------------- Erneut hat es ein Verschlüsselungstrojaner auf Netzwerkspeicher (NAS) von Qnap abgesehen. --------------------------------------------- https://heise.de/-6032831 ∗∗∗ Anlagebetrug: Alexander Van der Bellen wirbt nicht für Bitcoin-Investments! ∗∗∗ --------------------------------------------- Immer wieder berichten wir davon, dass Promis ungerechtfertigt genutzt werden, um unseriöse Trading-Plattformen zu bewerben. Aktuell haben es die Kriminellen auf den österreichischen Bundespräsidenten Alexander Van der Bellen abgesehen. Dieser soll erfundenen Berichten zu Folge unseriöse Plattformen wie „Bitcoin Era“, „Bitcoin Prime“ oder „Crypto Revolt“ nutzen, um zusätzliches Geld zu verdienen. Glauben Sie diesen Berichten nicht. --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-alexander-van-der-belle… ∗∗∗ Codecov begins notifying affected customers, discloses IOCs ∗∗∗ --------------------------------------------- Codecov has now started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-begins-notifying-aff… ∗∗∗ DomainTools And Digital Archeology: A Look At RotaJakiro ∗∗∗ --------------------------------------------- Gain additional insight into the malware dubbed RotaJakiro by Netlab with analysis by Chad Anderson on additional infrastructure unearthed including IP addresses, C2 domains, and more. --------------------------------------------- https://www.domaintools.com/resources/blog/domaintools-and-digital-archeolo… ∗∗∗ Babuk Ransomware Gang Mulls Retirement ∗∗∗ --------------------------------------------- The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that theyll be open-sourcing their data encryption malware for other crooks to use. --------------------------------------------- https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/ ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the Security Baseline Community or this post. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th) ∗∗∗ --------------------------------------------- A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challeng…. --------------------------------------------- https://isc.sans.edu/diary/rss/27372 ∗∗∗ How to Find & Fix Mixed Content Issues with SSL / HTTPS ∗∗∗ --------------------------------------------- Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let’s look at these common errors, what causes them, and how [...] --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-find-fix-mixed-content-issues-with-s… ∗∗∗ UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat ∗∗∗ --------------------------------------------- Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fi… ∗∗∗ IoT riddled with BadAlloc vulnerabilities ∗∗∗ --------------------------------------------- A set of memory allocation vulnerabilities, dubbed BadAlloc, has been found in a massive number of IoT and OT devices. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/iot-riddled-with-badalloc-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke verrät Standorte von Elektro-Zweirädern und Telefonnummern ∗∗∗ --------------------------------------------- Die API des Zweiradherstellers Supersoco hat eine schwere Sicherheitslücke, aber weder der Hersteller noch der D/AT-Importeur kümmern sich. --------------------------------------------- https://heise.de/-6032820 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, firefox, gitlab, libupnp, nimble, opera, thunderbird, virtualbox, and vivaldi), Debian (composer, edk2, and libhibernate3-java), Fedora (java-1.8.0-openjdk, jetty, and samba), openSUSE (nim), Oracle (bind and runc), Red Hat (bind), SUSE (cifs-utils, cups, ldb, samba, permissions, samba, and tomcat), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/855029/ ∗∗∗ Texas Instruments SimpleLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow and Integer Overflow or Wraparound vulnerabilities in Texas Instruments SimpleLink wireless microcontrollers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-01 ∗∗∗ Cassia Networks Access Controller ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Path Traversal vulnerability in Cassia Networks Access Controller Bluetooth network management tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-02 ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in the Ubunty operating system of Exacq Technologies exacqVision. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-03 ∗∗∗ Multiple RTOS ∗∗∗ --------------------------------------------- CISA is aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. This advisory contains mitigations for Integer Overflow or Wraparound vulnerabilities associated with this "BadAlloc" report. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities ∗∗∗ --------------------------------------------- BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-017743.html ∗∗∗ FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline ∗∗∗ --------------------------------------------- BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-428397.html ∗∗∗ Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities ∗∗∗ --------------------------------------------- Parallels Desktop implements a hypercall interface using an RDPMC instruction (“Read Performance-Monitoring Counter”) for communication between guest and host. More interestingly, this interface is accessible even to an unprivileged guest user. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [PDF] paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. This blog post gives a brief description of the interface and [...] --------------------------------------------- https://www.thezdi.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-int… ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0462 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a Server-Side Request Forgery vulnerability (CVE-2020-28168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Images built from IBM App Connect Enterprise Certified Container images may be vulnerable to information exposure via CVE-2020-15095 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-images-built-from-ibm-app… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: z/TPF is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-o… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container flows may be vulnerable to spoofing attacks (CVE-2020-26291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring components may be vulnerable to a denial of service attack (CVE-2020-28477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2021
by Daily end-of-shift report 29 Apr '21

29 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-04-2021 18:00 − Donnerstag 29-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Google: Androids Corona-Kontaktverfolgung leakt Daten ∗∗∗ --------------------------------------------- Eigentlich sollte nur das Exposure Notification Framework auf die gesammelten Kontakte zugreifen können, doch Android schreibt sie in ein Log. --------------------------------------------- https://www.golem.de/news/corona-warn-app-androids-corona-kontaktverfolgung… ∗∗∗ Threat Alert: New update from Sysrv-hello, now infecting victims‘ webpages to push malicious exe to end users ∗∗∗ --------------------------------------------- >From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has recently reported about the [rinfo][z0miner]. And the latest case comes from Sysrv-hello [...] --------------------------------------------- https://blog.netlab.360.com/threat-alert-new-update-from-sysrv-hello-now-in… ∗∗∗ Announcing the New Report Delta Mode Option ∗∗∗ --------------------------------------------- A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the [...] --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-report-delta-mode-opti… ∗∗∗ Digital Ocean springs a leak: Miscreant exploits hole to peep on unlucky customers billing details for two weeks ∗∗∗ --------------------------------------------- First that IPO and now this Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers billing information via a now-patched vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/04/29/digital_ocea… ∗∗∗ [SANS ISC] From Python to .Net ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/29/sans-isc-from-python-to-net/ ∗∗∗ Task Force Seeks to Disrupt Ransomware Payments ∗∗∗ --------------------------------------------- Some of the worlds top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. --------------------------------------------- https://krebsonsecurity.com/2021/04/task-force-seeks-to-disrupt-ransomware-… ∗∗∗ Bitcoin scammers phish for wallet recovery codes on Twitter ∗∗∗ --------------------------------------------- Cryptocurrency scammers are on the prowl for wallet recovery phrases, under the pretence of trying to be helpful. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/bitcoin-scammers-p… ∗∗∗ Anatomy of how you get pwned ∗∗∗ --------------------------------------------- Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from? In this blogpost, I follow this rabbit hole on down. It starts with "search engine optimization" links and leads to an entire industry of tricks, scams, exploiting popups, trying to infect your machine with viruses, and stealing emails or credit card numbers. --------------------------------------------- https://blog.erratasec.com/2021/04/anatomy-of-how-you-get-pwned.html ∗∗∗ Betrügerische Kleinanzeigen auf hyperanzeigen.at ∗∗∗ --------------------------------------------- Immer wieder erreichen die Watchlist Internet Meldungen zu unseriösen Angeboten auf hyperanzeigen.at. Ein genauerer Blick auf die Plattform selbst lässt aber auch Zweifel an deren Seriosität aufkommen. Bei einer Überprüfung von 15 Anzeigen aus unterschiedlichen Kategorien konnten wir keine einzige echte finden. Weiters fehlen Kontaktmöglichkeiten und ein Impressum. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kleinanzeigen-auf-hyp… ∗∗∗ New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl) ∗∗∗ --------------------------------------------- We analyze commodity malware WeSteal, detail its techniques and examine its customers, as well as sharing details of a newly observed RAT, WeControl. --------------------------------------------- https://unit42.paloaltonetworks.com/westeal/ ===================== = Vulnerabilities = ===================== ∗∗∗ A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks ∗∗∗ --------------------------------------------- The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was [...] --------------------------------------------- https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Overview of F5 vulnerabilities (April 2021) ∗∗∗ --------------------------------------------- Overview of F5 vulnerabilities (April 2021) Security Advisory Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as [...] --------------------------------------------- https://support.f5.com/csp/article/K96639388 ∗∗∗ Vulnerability Exposes F5 BIG-IP to Kerberos KDC Hijacking Attacks ∗∗∗ --------------------------------------------- F5 Networks this week released patches to address an authentication bypass vulnerability affecting BIG-IP Access Policy Manager (APM), but fixes are not available for all impacted versions. --------------------------------------------- https://www.securityweek.com/vulnerability-exposes-f5-big-ip-kerberos-kdc-h… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ceph, jetty, kernel, kernel-headers, kernel-tools, openvpn, and shim-unsigned-x64), Mageia (firefox and thunderbird), Oracle (nss and openldap), Red Hat (bind), Slackware (bind), SUSE (firefox, giflib, java-1_7_0-openjdk, libnettle, librsvg, thunderbird, and webkit2gtk3), and Ubuntu (bind9 and gst-plugins-good1.0). --------------------------------------------- https://lwn.net/Articles/854880/ ∗∗∗ ZDI-21-490: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-490/ ∗∗∗ ZDI-21-489: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-489/ ∗∗∗ ZDI-21-488: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-488/ ∗∗∗ ZDI-21-487: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-487/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cookie forgery via PHP (CVE-2020-7070) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0452 ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0451 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0459 ∗∗∗ PHP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0458 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2021
by Daily end-of-shift report 28 Apr '21

28 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-04-2021 18:00 − Mittwoch 28-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Juristische Konsequenzen durch den Cellebrite-Hack ∗∗∗ --------------------------------------------- Urteile, in denen die Forensiksoftware zur Beweissicherung verwendet wurde, werden nach Aufdeckung der schweren Sicherheitslücken in Frage gestellt. --------------------------------------------- https://www.golem.de/news/security-juristische-konsequenzen-durch-den-celle… ∗∗∗ RotaJakiro: A long live secret backdoor with 0 VT detection ∗∗∗ --------------------------------------------- On March 25, 2021, 360 NETLABs BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. --------------------------------------------- https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ∗∗∗ Abusing Replication: Stealing AD FS Secrets Over the Network ∗∗∗ --------------------------------------------- Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-st… ∗∗∗ Emotet: Gut 4 Millionen kopierter Mail-Adressen bei Prüfdienst Have I Been Pwned ∗∗∗ --------------------------------------------- Um Betroffene besser informieren zu können, hat das FBI über vier Mio. E-Mail-Adressen, die der Ex-"König der Schadsoftware" Emotet abgriff, mit HIBP geteilt. --------------------------------------------- https://heise.de/-6030480 ∗∗∗ User Empowerment: Password Security ∗∗∗ --------------------------------------------- World Password Day (who knew that was a thing?) is upon us. --------------------------------------------- https://malicious.link/post/2021/user-empowerment-password-security/ ∗∗∗ Österreichische Gesundheitskasse warnt vor betrügerischen Anrufen ∗∗∗ --------------------------------------------- Versicherte der Österreichischen Gesundheitskasse (ÖGK) werden derzeit von BetrügerInnen angerufen. Die BetrügerInnen geben sich als MitarbeiterInnen der ÖGK aus und rufen von einer vermeintlich österreichischen Nummer an. --------------------------------------------- https://www.watchlist-internet.at/news/oesterreichische-gesundheitskasse-wa… ∗∗∗ Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle ∗∗∗ --------------------------------------------- It has been suspected that exploit code used in the wave of attacks may have been sourced from the program. --------------------------------------------- https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing… ∗∗∗ Two million database servers are currently exposed across cloud providers ∗∗∗ --------------------------------------------- Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs. --------------------------------------------- https://therecord.media/two-million-database-servers-are-currently-exposed-… ∗∗∗ Ransomware gang targets Microsoft SharePoint servers ∗∗∗ --------------------------------------------- Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs. --------------------------------------------- https://therecord.media/ransomware-gang-targets-microsoft-sharepoint-server… ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode-Lücke in IBM Spectrum Protect gefährdet Server ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBMs Datenschutzlösung Spectrum Protect und Spectrum Protect Plus. --------------------------------------------- https://heise.de/-6030379 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and shibboleth-sp), Fedora (ceph and salt), Oracle (thunderbird), Red Hat (etcd), Scientific Linux (nss and openldap), SUSE (curl, gdm, and libnettle), and Ubuntu (openjdk-8, openjdk-lts and underscore). --------------------------------------------- https://lwn.net/Articles/854756/ ∗∗∗ Synology-SA-21:15 Antivirus Essential ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_15 ∗∗∗ WordPress plugin "WP Fastest Cache" vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35240327/ ∗∗∗ ZDI-21-485: (0Day) Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-485/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-16044) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a directory traversal vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-26974) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23978) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04234247 ∗∗∗ TMM vulnerability CVE-2021-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10751325 ∗∗∗ BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91414704 ∗∗∗ Running a CTU Diagnostics Report may leave elevated command prompt after report generation ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03544414 ∗∗∗ TMM with HTTP/2 vulnerability (CVE-2021-23009) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K90603426 ∗∗∗ BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18570111 ∗∗∗ BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23203045 ∗∗∗ BIG-IP APM AD authentication vulnerability CVE-2021-23008 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51213246 ∗∗∗ Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74151369 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2021
by Daily end-of-shift report 27 Apr '21

27 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-04-2021 18:00 − Dienstag 27-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 15 open source GitHub projects for security pros ∗∗∗ --------------------------------------------- Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages. --------------------------------------------- https://www.csoonline.com/article/3058594/19-open-source-github-projects-fo… ∗∗∗ CAD: .DGN and .MVBA Files, (Mon, Apr 26th) ∗∗∗ --------------------------------------------- Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/27354 ∗∗∗ Aggrokatz: pypykatz trifft Cobalt Strike ∗∗∗ --------------------------------------------- Das Tool "aggrokatz", welches von SEC Consult intern zum Parsen von LSASS-Dump-Dateien in Cobalt Strike eingesetzt wird, wurde soeben als Open Source Tool veröffentlicht! --------------------------------------------- https://sec-consult.com/de/blog/detail/aggrokatz-pypykatz-trifft-cobalt-str… ∗∗∗ The March/April 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Exploit on Exchange --------------------------------------------- https://securityblog.switch.ch/2021/04/27/the-march-april-2021-issue-of-our… ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in the Linux Kernel ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html ∗∗∗ Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU ∗∗∗ --------------------------------------------- Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the worlds most dangerous malware: Emotet. --------------------------------------------- https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-… ∗∗∗ WhatsApp-NutzerInnen aufgepasst: Kriminelle versuchen Ihr WhatsApp-Konto zu stehlen ∗∗∗ --------------------------------------------- Sie wurden auf WhatsApp gebeten, einen 6-stelligen-Code weiterzuleiten? Tun Sie das auf gar keinen Fall, dieser Code ist der Schlüssel zu Ihrem WhatsApp-Account. Kriminelle versuchen Sie mit unterschiedlichsten Begründungen zu überzeugen, diesen weiterzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nutzerinnen-aufgepasst-krim… ∗∗∗ CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks ∗∗∗ --------------------------------------------- A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/cisa-and-nist-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ All Your Macs Are Belong To Us ∗∗∗ --------------------------------------------- Here, we detail a bug that trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk! --------------------------------------------- https://objective-see.com/blog/blog_0x64.html ∗∗∗ Citrix ShareFile storage zones controller security update ∗∗∗ --------------------------------------------- A security issue has been identified in the Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. --------------------------------------------- https://support.citrix.com/article/CTX310780 ∗∗∗ Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin ∗∗∗ --------------------------------------------- On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, and gst-plugins-ugly1.0), Fedora (kernel, kernel-headers, kernel-tools, and rust), openSUSE (firefox), Oracle (firefox, mariadb:10.3 and mariadb-devel:10.3, thunderbird, and xstream), Red Hat (kernel, kernel-alt, kpatch-patch, nss, and openldap), Scientific Linux (firefox, thunderbird, and xstream), SUSE (firefox), and Ubuntu (file-roller, firefox, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/854623/ ∗∗∗ NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability ∗∗∗ --------------------------------------------- A newly identified NTLM (New Technology LAN Manager) relay attack abuses a remote procedure call (RPC) vulnerability to enable elevation of privilege, researchers from cybersecurity firm SentinelOne reveal. --------------------------------------------- https://www.securityweek.com/ntlm-relay-attack-abuses-windows-rpc-protocol-… ∗∗∗ Apple Security Updates 2021-04-26 ∗∗∗ --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Buffer Overflow Vulnerability in IBM SDK Affects IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to weak file permissions allowing access to specific files (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Nvidia Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0440 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0447 ∗∗∗ TYPO3 Extension: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0449 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/27/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2021
by Daily end-of-shift report 26 Apr '21

26 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-04-2021 18:00 − Montag 26-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap: NAS-Ransomware erpresst in wenigen Tagen 230.000 Euro ∗∗∗ --------------------------------------------- Mit einer trivialen Sicherheitslücke konnte die Ransomware Qlocker binnen weniger Tage Tausende Euro von Qnap-NAS-Besitzern erpressen. --------------------------------------------- https://www.golem.de/news/qnap-nas-ransomware-erpresst-in-wenigen-tagen-230… ∗∗∗ Passwordstate: Passwort-Manager von Click Studios gehackt ∗∗∗ --------------------------------------------- Angreifern ist die Kompromittierung einer Upgrade-Funktion von Click Studios gelungen. Nutzer von Passwordstate sollen ihre Passwörter zurücksetzen. --------------------------------------------- https://heise.de/-6027188 ∗∗∗ "Tschüss Emotet": Malware deinstalliert sich selbst ∗∗∗ --------------------------------------------- Der "König der Schad-Software" machte still und leise einen Abgang. --------------------------------------------- https://heise.de/-6028392 ∗∗∗ Unsecured Kubernetes Instances Could Be Vulnerable to Exploitation ∗∗∗ --------------------------------------------- We discuss how malware and malicious activities can occur in unsecured Kubernetes instances and how better configuration can help. --------------------------------------------- https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/ ∗∗∗ This password-stealing Android malware is spreading quickly: Heres what to watch out for ∗∗∗ --------------------------------------------- FluBot is designed to steal personal information including bank details - and infected users are being exploited to spread the malware to their contacts. --------------------------------------------- https://www.zdnet.com/article/this-password-stealing-android-malware-is-spr… ∗∗∗ Hacking campaign targets FileZen file-sharing network appliances ∗∗∗ --------------------------------------------- Threat actors are using two vulnerabilities in a popular file-sharing server to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Ministers Cabinet Office. --------------------------------------------- https://therecord.media/hacking-campaign-targets-filezen-file-sharing-netwo… ∗∗∗ Fake Microsoft DirectX 12 site pushes crypto-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-si… ∗∗∗ Base64 Hashes Used in Web Scanning, (Sat, Apr 24th) ∗∗∗ --------------------------------------------- I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years. --------------------------------------------- https://isc.sans.edu/diary/rss/27346 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux ∗∗∗ --------------------------------------------- A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a [...] --------------------------------------------- https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html ∗∗∗ SSD Advisory – Hongdian H8922 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- The H8922 “4G industrial router is based on 3G/4G wireless network and adopts a high-performance 32-bit embedded operating system with full industrial design. It supports wired and wireless network backup, and its high reliability and convenient networking make it suitable for large-scale distributed industrial applications. Such as smart lockers, charging piles, bank ATM machines, tower monitoring, electricity, water conservancy, environmental protection”. Several vulnerabilities in the H8922 device allow remote attackers to cause the device to execute arbitrary commands with root privileges due to the fact that user provided data is not properly filtered as well as a backdoor account allows access via port 5188/tcp. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabili… ∗∗∗ [PDF] Beckhoff Security Advisory 2021-001: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server ∗∗∗ --------------------------------------------- Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ Erneut Sicherheitslücke bei Corona-Schnelltests ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in einer Schnelltest-Software konnten Unbefugte auf sensible Informationen zugreifen. Die Lücke ist mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6027394 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, jackson-databind, libspring-java, opendmarc, openjdk-11, and pjproject), Fedora (buildah, containers-common, crun, firefox, java-11-openjdk, nextcloud-client, openvpn, podman, python3-docs, python3.9, runc, and xorg-x11-server), Mageia (connman, krb5-appl, and virtualbox), openSUSE (apache-commons-io, ImageMagick, jhead, libdwarf, nim, [...] --------------------------------------------- https://lwn.net/Articles/854504/ ∗∗∗ MB connect line: multiple products partially affected by DNSspooq ∗∗∗ --------------------------------------------- Multiple flaws have been found in dnsmasq before version 2.83 [...] --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-012 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0436 ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0438 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2021
by Daily end-of-shift report 23 Apr '21

23 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-04-2021 18:00 − Freitag 23-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Malicious PowerPoint Add-On: “Small Is Beautiful” ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malicious PowerPoint Add-On: ‘Small Is Beautiful‘”: Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous [...] --------------------------------------------- https://blog.rootshell.be/2021/04/23/sans-isc-malicious-powerpoint-add-on-s… ∗∗∗ Erpressungstrojaner eCh0raix und Qlocker haben es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Aufgrund von aktuellen Ransomware-Attacken auf Netzwerkspeicher (NAS) von Qnap sollten alle Besitzer die Software auf aktuellem Stand halten. --------------------------------------------- https://heise.de/-6026483 ∗∗∗ Sicherheitsforscher: AirDrop kann Kontaktdaten des iPhone-Besitzers preisgeben ∗∗∗ --------------------------------------------- Telefonnumer und Mail-Adresse sind gehasht, lassen sich von nahen Angreifern aber zurückrechnen, so die Forscher. Apple kenne die Lücke seit zwei Jahren. --------------------------------------------- https://heise.de/-6026661 ∗∗∗ Microsoft ruft an? Legen Sie lieber auf! ∗∗∗ --------------------------------------------- Aktuell häufen sich wieder Anrufe von vermeintlichen Microsoft-MitarbeiterInnen. Dabei handelt es sich um BetrügerInnen, die wahllos Menschen anrufen und von einem Problem mit dem Computer der Opfer sprechen. Die Masche dahinter: Kriminelle wollen sich Zugang zu Ihrem Computer verschaffen und sensible Daten abgreifen. Legen Sie bei solchen Anrufen sofort auf! --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-ruft-an-legen-sie-lieber-a… ∗∗∗ Network Attack Trends: Internet of Threats (November 2020-January 2021) ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Angriff auf Anti-Phishing-Banner in E-Mails ∗∗∗ --------------------------------------------- Bei der Analyse von Warnungen vor Phishing-Mails stellte die SySS erhebliche Mängel fest, die es Angreifenden ermöglichen, solche Banner auszublenden. --------------------------------------------- https://www.syss.de/pentest-blog/angriff-auf-anti-phishing-banner-in-e-mails ∗∗∗ Sysrv: A new crypto-mining botnet is silently growing in the shadows ∗∗∗ --------------------------------------------- If you forget to update or properly secure an internet-connected server or web app, the chances are that a crypto-mining botnet will infect it first, long before any nation-state hacking group. Crypto-mining botnets have been a plague on the internet for the past three years, and despite the space being more than saturated, new botnets are being built and discovered on a re.gular basis, driven mainly by cybercriminals unquenched thirst for easy money. --------------------------------------------- https://therecord.media/sysrv-a-new-crypto-mining-botnet-is-silently-growin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sipwise C5 NGCP CSC CSRF Click2Dial Exploit ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php ∗∗∗ Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities ∗∗∗ --------------------------------------------- Sipwise software platform suffers from multiple authenticated stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php ∗∗∗ BOSCH-SA-918106 - ctrlX Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in operating system libraries and the Linux kernel have been reported which in a worst case scenario could allow an attacker to compromise the system by provoking a crash or the execution of malicious code. The affected functions are not used directly by any Rexroth software component and therefore the risk of an attacker being able to exploit the vulnerability is considered as low. Nevertheless, it cannot be completely ruled out that the functions might be called [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-918106.html ∗∗∗ Security Bulletin: Trend Micro HouseCall for Home Networks Incorrect Permission Assignment Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- Trend Micro has released an updated version of Trend Micro HouseCall for Home Networks which resolve two incorrect permission assignment vulnerabilities that may lead to privilege escalation. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10310 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-8, and wpa), openSUSE (irssi, jhead, opera, and python-django-registration), SUSE (firefox and qemu), and Ubuntu (dnsmasq and shibboleth-sp). --------------------------------------------- https://lwn.net/Articles/854215/ ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Input Validation, and Improper Access Controls vulnerabilities in Horner Automation Cscape control system application programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-01 ∗∗∗ Mitsubishi Electric GOT ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Mitsubishi Electrics GOT human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-02 ∗∗∗ Security Bulletin: Series of vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-series-of-vulnerabilities… ∗∗∗ Security Bulletin: A vulnerability in IBM® Runtime Environments Java™ Technology Edition Versions affects IBM® Db2®. (January 2021 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ru… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-server-vulnerabil… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2017-1000190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2021
by Daily end-of-shift report 22 Apr '21

22 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-04-2021 18:00 − Donnerstag 22-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macher des Signal-Messenger hacken Spionage-Software von Cellebrite ∗∗∗ --------------------------------------------- Die Signal-Entwickler zeigen per Video, wie ein präpariertes iPhone die von Ermittlungsbehörden verwendete Software von Cellebrite aushebelt. --------------------------------------------- https://heise.de/-6024421 ∗∗∗ Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices ∗∗∗ --------------------------------------------- A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-a… ∗∗∗ Attackers can hide external sender email warnings with HTML and CSS ∗∗∗ --------------------------------------------- The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-… ∗∗∗ Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns ∗∗∗ --------------------------------------------- Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims’ machines, new research has found. --------------------------------------------- https://threatpost.com/telegram-toxiceye-malware/165543/ ∗∗∗ Announcing the New Reports API ∗∗∗ --------------------------------------------- We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret. --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-reports-api/ ∗∗∗ All Your Databases Belong To Me! A Blind SQLi Case Study ∗∗∗ --------------------------------------------- The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-da… ∗∗∗ Researchers Find Additional Infrastructure Used By SolarWinds Hackers ∗∗∗ --------------------------------------------- The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, [...] --------------------------------------------- https://thehackernews.com/2021/04/researchers-find-additional.html ∗∗∗ [SANS ISC] How Safe Are Your Docker Images? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “How Safe Are Your Docker Images?“: Today, I don’t know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier’s tools. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov). Let’s mix the attraction for container technologies and this threat, we realize that Docker images are a great way to compromise an organization! --------------------------------------------- https://blog.rootshell.be/2021/04/22/sans-isc-how-safe-are-your-docker-imag… ∗∗∗ PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately ∗∗∗ --------------------------------------------- Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-p… ∗∗∗ Now this botnet is hunting for unpatched Microsoft Exchange servers ∗∗∗ --------------------------------------------- Prometei botnets key goal is cryptojacking - but its powerful capabilities could see it deployed for much more dangerous attacks. --------------------------------------------- https://www.zdnet.com/article/now-this-botnet-is-hunting-for-unpatched-micr… ∗∗∗ CISA Incident Response to SUPERNOVA Malware ∗∗∗ --------------------------------------------- CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-res… ∗∗∗ AirDrop bugs expose Apple users' email addresses, phone numbers ∗∗∗ --------------------------------------------- A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apples AirDrop file transfer feature. --------------------------------------------- https://therecord.media/airdrop-bugs-expose-apple-users-email-addresses-pho… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories zu Cisco SD-WAN vManage Software ∗∗∗ --------------------------------------------- Cisco hat 5 Security Advisories zu Cisco SD-WAN vManage Software veröffentlicht, die alle als "Medium" klassifiziert werden. --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Statische Zugangsdaten gefährden Qnap NAS ∗∗∗ --------------------------------------------- Eine kritische Lücke in HBS 3 Hybrid Backup Sync bringt Netzwerkspeicher (NAS) von Qnap in Gefahr. --------------------------------------------- https://heise.de/-6025271 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/853953/ ∗∗∗ Google rushes out fix for zero‑day vulnerability in Chrome ∗∗∗ --------------------------------------------- The update patches a total of seven security flaws in the desktop versions of the popular web browser --------------------------------------------- https://www.welivesecurity.com/2021/04/21/google-fix-zero-day-vulnerability… ∗∗∗ Drupal: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0432 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0431 ∗∗∗ Stored XSS (veraltete Software-Bibliothek) in BMDWeb 2.0 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-veraltete-… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2021
by Daily end-of-shift report 21 Apr '21

21 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-04-2021 18:00 − Mittwoch 21-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Brace yourselves. Facebook has a new mega-leak on its hands ∗∗∗ --------------------------------------------- Facebook Email Search v1.0 can process 5 million email addresses per day, researcher says. --------------------------------------------- https://arstechnica.com/?p=1758893 ∗∗∗ Logins for 1.3 million Windows RDP servers collected from hacker market ∗∗∗ --------------------------------------------- The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/logins-for-13-million-window… ∗∗∗ New article: Run your malicious VBA macros anywhere! ∗∗∗ --------------------------------------------- Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-run-your-malicious-v… ∗∗∗ CVE-2021-30481: Source engine remote code execution via game invites ∗∗∗ --------------------------------------------- In this blog post, we will look at how an attacker can use the Steamworks API in combination with various features and properties of the Source engine to gain remote code execution (RCE) through malicious Steam game invites. --------------------------------------------- https://secret.club/2021/04/20/source-engine-rce-invite.html ∗∗∗ A year of Fajan evolution and Bloomberg themed campaigns ∗∗∗ --------------------------------------------- Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. --------------------------------------------- https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bl… ∗∗∗ Kleinanzeigenbetrug: Vorsicht bei Abwicklung über erfundene Speditionen! ∗∗∗ --------------------------------------------- Der Verkauf von gebrauchten Waren über Kleinanzeigenportale wie willhaben.at, shpock.com oder ebay.at boomt. Doch Vorsicht: Auch der Betrug auf solchen Plattformen wird uns derzeit häufig gemeldet. Besonders beliebt unter den Kriminellen ist die Kaufabwicklung über erfundene Speditionen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-bei-abw… ∗∗∗ WhatsApp Pink: Watch out for this fake update ∗∗∗ --------------------------------------------- The malware sends automated replies to messages on WhatsApp and other major chat apps. --------------------------------------------- https://www.welivesecurity.com/2021/04/20/whatsapp-pink-watch-out-fake-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit ∗∗∗ --------------------------------------------- Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. --------------------------------------------- https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.ht… ∗∗∗ Oracle veröffentlicht 390 Sicherheitsupdates für MySQL, Java & Co. ∗∗∗ --------------------------------------------- In seinem Quartalsupdate patcht sich Oracle durch sein Software-Portfolio und schließt unter anderem einige kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-6022746 ∗∗∗ Jetzt patchen! Attacken auf E-Mail Security Appliances von SonicWall ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für SonicWalls "Email Security". Angreifer nutzen eine Lücke derzeit aktiv aus. --------------------------------------------- https://heise.de/-6022716 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, php-pear, wordpress, and zabbix), Oracle (java-1.8.0-openjdk and java-11-openjdk), Red Hat (java-1.8.0-openjdk, java-11-openjdk, kernel, and kpatch-patch), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (seamonkey), SUSE (apache-commons-io, ImageMagick, kvm, ruby2.5, and sudo), and Ubuntu (edk2, libcaca, ntp, and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/853759/ ∗∗∗ VU#567764: MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/567764 ∗∗∗ ZDI-21-442: (0Day) Advantech WebAccess/HMI Designer SNF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-442/ ∗∗∗ ZDI-21-441: (0Day) Advantech WebAccess/HMI Designer PLF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-441/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Eclipse Jetty affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2019-17558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in jersey affect Apache Zookeeper shipped with IBM Operations Analytics – Log Analysis (CVE-2014-3643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jersey-a… ∗∗∗ Security Bulletin: Security Bulletin: IBM SDK Java Quarterly CPU Oct 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-sdk… ∗∗∗ Security Bulletin: SMTP for IBM i is affected by CVE-2021-20501 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-smtp-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: Update available for OpenSSL vulnerabilities affecting IBM Watson Speech Services 1.2.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-available-for-open… ∗∗∗ Security Bulletin: protobuf Vulnerability in Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-protobuf-vulnerability-in… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affect IBM Operations Analytics – Log Analysis Analysis (CVE-2020-1945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-re… ∗∗∗ Hitachi ABB Power Grids Ellipse APM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-01 ∗∗∗ Rockwell Automation Stratix Switches ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-02 ∗∗∗ Delta Industrial Automation COMMGR ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-03 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-04 ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-05 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06 ∗∗∗ Siemens Mendix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2021
by Daily end-of-shift report 20 Apr '21

20 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-04-2021 18:00 − Dienstag 20-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remote Code Execution: Angriffe auf VPN-Geräte von Pulse Secure ∗∗∗ --------------------------------------------- Produkte von Pulse Secure sind von einer kritischen Sicherheitslücke betroffen, für die es keinen Patch gibt. Angriffe finden bereits statt. --------------------------------------------- https://www.golem.de/news/remote-code-execution-angriffe-auf-vpn-geraete-vo… ∗∗∗ Google Play apps with 700k installs steal texts and charge you money ∗∗∗ --------------------------------------------- Google removes eight apps after receiving report from researchers. --------------------------------------------- https://arstechnica.com/?p=1758227 ∗∗∗ Fake Microsoft Store, Spotify sites spread info-stealing malware ∗∗∗ --------------------------------------------- Attackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute malware to steal credit cards and passwords saved in web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify… ∗∗∗ Breaking ABUS Secvest internet-connected alarm systems (CVE-2020-28973) ∗∗∗ --------------------------------------------- ABUS Secvest is a wireless alarm system that is marketed at consumers and small businesses. It is usually deployed by a specialized company. A Secvest FUAA50000 controller costs about EUR400. A typical deployment with motion sensors, a siren and door/window sensors can cost thousands of euro’s. In this article I will describe how more than 10.000 internet-connected alarm systems could be hacked and deactivated remotely. --------------------------------------------- https://eye.security/en/blog/breaking-abus-secvest-internet-connected-alarm… ∗∗∗ Firefox & Thunderbird: Sicherheitsrelevante Updates für Browser & E-Mail-Client ∗∗∗ --------------------------------------------- Mozilla hat Firefox 88 nebst ESR-Pendant sowie Thunderbird 78.10 veröffentlicht. Im Gepäck haben die Releases unter anderem auch wichtige Schwachstellen-Fixes. --------------------------------------------- https://heise.de/-6021309 ∗∗∗ Facebook Messenger users targeted by a large-scale scam ∗∗∗ --------------------------------------------- A large-scale scam campaign targeting Facebook Messenger users all over the world has been detected by Group-IB. Digital Risk Protection (DRP) analysts have found evidence proving that users in over 80 countries in Europe, Asia, the MEA region, North and South America might have been affected. By distributing ads promoting an allegedly updated version of Facebook Messenger, cybercriminals harvested users’ login credentials. --------------------------------------------- https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/ ∗∗∗ E-Mail: UnternehmerInnen werden aufgefordert, Corona-Tests bei "testversand.com" zu kaufen ∗∗∗ --------------------------------------------- In Deutschland müssen ArbeitgeberInnen ab heute für MitarbeiterInnen, die nicht im Home-Office sind, Corona-Tests bereitstellen. Diese Maßnahme nutzen Kriminelle und kontaktieren zahlreiche UnternehmerInnen, um den unseriösen Online-Shop für Corona-Tests "testversand.com" zu empfehlen. Es ist anzunehmen, dass dieses E-Mail auch an österreichische UnternehmerInnen versendet wird. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-unternehmerinnen-werden-aufge… ∗∗∗ Multi-factor authentication: Use it for all the people that access your network, all the time ∗∗∗ --------------------------------------------- The vast majority of cyberattacks involve a password being hacked - providing your employees with multi-factor authentication could go a long way towards stopping cyber criminals breaking into your network. --------------------------------------------- https://www.zdnet.com/article/multi-factor-authentication-use-it-for-all-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Synology DiskStation Manager. DSM is the Linux-based operating system for every Synology network-attached storage device (NAS). --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-synology-dsm.html ∗∗∗ Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro ∗∗∗ --------------------------------------------- Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together. --------------------------------------------- https://www.wordfence.com/blog/2021/04/widespread-attacks-continue-targetin… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (CImg, gmic, leptonica, mingw-binutils, mingw-glib2, mingw-leptonica, mingw-python3, nodejs, and seamonkey), openSUSE (irssi, kernel, nextcloud-desktop, python-django-registration, and thunderbird), Red Hat (389-ds:1.4, kernel, kernel-rt, perl, and pki-core:10.6), SUSE (kernel, sudo, and xen), and Ubuntu (clamav and openslp-dfsg). --------------------------------------------- https://lwn.net/Articles/853614/ ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20453) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1971). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could affect InfoSphere Streams version 4.3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Multiple vulnerabilites in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-i… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to vulnerability in Apache POI (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the JNDI component could affect InfoSphere Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Potential TLS vulnerability using Diffie-Hellman TLS ciphersuites in IBM DataPower Gateway (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-tls-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2021
by Daily end-of-shift report 19 Apr '21

19 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-04-2021 18:00 − Montag 19-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht ∗∗∗ --------------------------------------------- Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen. --------------------------------------------- https://heise.de/-6019302 ∗∗∗ Ryuk ransomware operation updates hacking techniques ∗∗∗ --------------------------------------------- Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-up… ∗∗∗ NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator ∗∗∗ --------------------------------------------- BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files. --------------------------------------------- https://heimdalsecurity.com/blog/nitroransomware-distributed-as-a-fake-free… ∗∗∗ BazarLoader Malware Abuses Slack, BaseCamp Clouds ∗∗∗ --------------------------------------------- Two cyberattack campaigns are making the rounds using unique social-engineering techniques. --------------------------------------------- https://threatpost.com/bazarloader-malware-slack-basecamp/165455/ ∗∗∗ Serious Security: Rowhammer is back, but now it’s called SMASH ∗∗∗ --------------------------------------------- Simply put: reading from RAM in your program could write to RAM in someone elses --------------------------------------------- https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-b… ∗∗∗ Querying Spamhaus for IP reputation, (Fri, Apr 16th) ∗∗∗ --------------------------------------------- Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script. --------------------------------------------- https://isc.sans.edu/diary/rss/27320 ∗∗∗ Decoding Cobalt Strike Traffic, (Sun, Apr 18th) ∗∗∗ --------------------------------------------- In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike. --------------------------------------------- https://isc.sans.edu/diary/rss/27322 ∗∗∗ Hunting phishing websites with favicon hashes, (Mon, Apr 19th) ∗∗∗ --------------------------------------------- HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way. --------------------------------------------- https://isc.sans.edu/diary/rss/27326 ∗∗∗ Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs ∗∗∗ --------------------------------------------- A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. --------------------------------------------- https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.ht… ∗∗∗ Malvertisers hacked 120 ad servers to load malicious ads ∗∗∗ --------------------------------------------- A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware. --------------------------------------------- https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-maliciou… ∗∗∗ Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack ∗∗∗ --------------------------------------------- The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack. --------------------------------------------- https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen ∗∗∗ --------------------------------------------- Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6019234 ∗∗∗ VMSA-2021-0006 ∗∗∗ --------------------------------------------- A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0006.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...] --------------------------------------------- https://lwn.net/Articles/853420/ ∗∗∗ iApps vulnerability CVE-2020-17507 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11542555 ∗∗∗ libcroco vulnerability CVE-2020-12825 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01074825 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0397 ∗∗∗ Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics – Log Analysis Analysis (CVE-2018-8017) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-with-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2018-8036) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-p… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2021
by Daily end-of-shift report 16 Apr '21

16 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-04-2021 18:00 − Freitag 16-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Google Project Zero gibt Nutzern 30 Tage zum Patchen ∗∗∗ --------------------------------------------- Mit der neuen Regelung hofft Googles Project Zero auf mehr Sicherheit für die Nutzer und schnellere Patches. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-google-project-zero-gibt-nutze… ∗∗∗ [SANS ISC] HTTPS Support for All Internal Services ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “HTTPS Support for All Internal Services“: SSL/TLS has been on stage for a while with deprecated protocols, free certificates for everybody. The landscape is changing to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday, [...] --------------------------------------------- https://blog.rootshell.be/2021/04/16/sans-isc-https-support-for-all-interna… ∗∗∗ The rise of QakBot ∗∗∗ --------------------------------------------- AT&T Alien Labs closely monitors the evolution of crimeware such as the QakBot malware family and campaigns in connection with QakBot. The jointly coordinated takedown of the actors behind Emotet in late January has left a gap in the cybercrime landscape, which QakBot seems poised to fill. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot ∗∗∗ “Huge upsurge” in DDoS attacks during pandemic ∗∗∗ --------------------------------------------- A new report by Netscout sets yet out another way in which why 2020 was a record-breaking year for for all the wrong reasons. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/huge-upsurge-in-ddos-attacks-… ∗∗∗ Security vs User Journey ∗∗∗ --------------------------------------------- Something I often think about is how my recommendations for clients to fix small security issues can spoil / complicate their users’ journey. UX matters I understand that UX is [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/security-vs-user-journey/ ∗∗∗ Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers? ∗∗∗ --------------------------------------------- Unit 42 researchers found an attack in the wild targeting Nagios XI 5.7.5 that exploits CVE-2021-25296 and drops a cryptocurrency miner. Read more for an analysis of the vulnerable code, the resulting command injection, and the malicious scripts. --------------------------------------------- https://unit42.paloaltonetworks.com/nagios-xi-vulnerability-cryptomining/ ∗∗∗ CISA and CNMF Analysis of SolarWinds-related Malware ∗∗∗ --------------------------------------------- CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/cisa-and-cnmf-ana… ∗∗∗ Codecov discloses 2.5-month-long supply chain attack ∗∗∗ --------------------------------------------- Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools. --------------------------------------------- https://therecord.media/codecov-discloses-2-5-month-long-supply-chain-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (smarty3), Fedora (libpano13, python3.8, and seamonkey), Mageia (chromium-browser-stable, gstreamer1.0, thunderbird, and x11-server), Oracle (libldb and thunderbird), SUSE (grafana and system-user-grafana, kernel, and openldap2), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, [...] --------------------------------------------- https://lwn.net/Articles/852978/ ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Privilege Management and Path Traversal vulnerabilities in the Schneider Electric C-Bus Toolkit. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-105-01 ∗∗∗ EIPStackGroup OpENer Ethernet/IP ∗∗∗ --------------------------------------------- This advisory contains mitigations for Incorrect Conversion Between Numeric Types, Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in EIPStackGroup OpENer Ethernet IP. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-105-02 ∗∗∗ Multiple NSS vulnerabilities CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, and CVE-2020-12402 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61267093 ∗∗∗ NSS vulnerability CVE-2020-12403 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13290208 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0393 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2021
by Daily end-of-shift report 15 Apr '21

15 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-04-2021 18:00 − Donnerstag 15-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Link anklicken führt zu Remote Code Execution ∗∗∗ --------------------------------------------- In zahlreichen Applikationen finden sich Sicherheitslücken bei der Verarbeitung von Links, betroffen sind unter anderem VLC, Libreoffice und Telegram. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-link-anklicken-fuehrt-zu-remot… ∗∗∗ WordPress Continues to Fall Victim to Carding Attacks ∗∗∗ --------------------------------------------- Unsurprisingly, as WordPress continues to increase in popularity as an e-commerce platform, attackers continue to attempt to steal credit card information from unsuspecting clients. Currently, the WordPress plugin WooCommerce accounts for roughly a quarter of all online stores. Over recent years, attackers whose goal it is to fradulently obtain credit card information have mostly focused on e-commerce specific platforms such as Magento, PrestaShop and OpenCart [...] --------------------------------------------- https://blog.sucuri.net/2021/04/credit-card-swipers-in-wordpress.html ∗∗∗ Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched ∗∗∗ --------------------------------------------- A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week. --------------------------------------------- https://www.securityweek.com/exploit-second-unpatched-chromium-flaw-made-pu… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-875726 V1.0: Privilege Escalation Vulnerability in Mendix ∗∗∗ --------------------------------------------- The latest updates for Mendix fix a vulnerability in Mendix Applications that could allow malicious authorized users to escalate their privileges. Mendix has released an update for Mendix and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-875726.txt ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (kernel), openSUSE (clamav, fluidsynth, python-bleach, spamassassin, and xorg-x11-server), Red Hat (gnutls and nettle, libldb, and thunderbird), Scientific Linux (thunderbird), SUSE (clamav, util-linux, and xorg-x11-server), and Ubuntu (network-manager and underscore). --------------------------------------------- https://lwn.net/Articles/852726/ ∗∗∗ Juniper JUNOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Juniper JUNOS, Juniper Junos Evolved und Juniper SRX Series ausnutzen, um einen Denial of Service Angriff durchführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, Code zur Ausführung zu bringen, seine Privilegien zu erweitern und beliebigen Code mit Administratorrechten auszuführen. https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0387 ∗∗∗ Red Hat Virtualization Engine: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in der Red Hat Virtualization Engine ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, beliebigen Code auszuführen, einen Denial of Service Zustand auszulösen und kryptographische Maßnahmen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0385 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0391 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0390 ∗∗∗ McAfee Endpoint Security: Schwachstelle ermöglicht Manipulation von Daten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0388 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2021
by Daily end-of-shift report 14 Apr '21

14 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-04-2021 18:00 − Mittwoch 14-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft schließt weitere Lücken in Windows und Mail/Groupware-System Exchange ∗∗∗ --------------------------------------------- Microsoft veröffentlicht über 2700 kritische und wichtige Updates für Exchange und Windows 10, aber auch für Windows 7 und 8.1 sowie ältere Serversysteme. --------------------------------------------- https://heise.de/-6015002 ∗∗∗ Patchday: Adobe verteilt Sicherheitsupdates gegen teils kritische Lücken ∗∗∗ --------------------------------------------- Aus Adobe Photoshop, Digital Editions & Bridge (Windows, macOS) wurden kritische Sicherheitslücken entfernt. Auch RoboHelp für Win bekam ein wichtiges Update. --------------------------------------------- https://heise.de/-6015086 ∗∗∗ Microsoft-Patchday: Updates entfernen aktiv genutzten Angriffsweg aus Windows ∗∗∗ --------------------------------------------- Zum Patchday hat Microsoft unter anderem eine Schwachstelle im Desktop Window Manager in Win 10 & Server-Pendants behoben, die derzeit aktiv ausgenutzt wird. --------------------------------------------- https://heise.de/-6015082 ∗∗∗ Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere ∗∗∗ --------------------------------------------- Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-azure-sphere-apri… ∗∗∗ Vorsicht! Unseriöse Praktiken bei über 120 Datingplattformen von Date4Friend AG! ∗∗∗ --------------------------------------------- Die Schweizer Firma Date4Friend AG betreibt zahlreiche Datingplattformen im deutschsprachigen Raum. Doch viele NutzerInnen ärgern sich über die Angebote von Date4Friend AG. So entpuppen sich eigentlich günstige Abos rasch als teure Abo-Falle. VerbraucherInnen beschweren sich zudem darüber, dass Abo-Kündigungen nicht angenommen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-unserioese-praktiken-bei-ue… ∗∗∗ 100,000 Google Sites Used to Install SolarMarket RAT ∗∗∗ --------------------------------------------- Search-engine optimization (SEO) tactics direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains. --------------------------------------------- https://threatpost.com/google-sites-solarmarket-rat/165396/ ∗∗∗ Jahresbericht 2020 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- 2020 war einiges los in Bezug auf IT-Sicherheit in Österreich: Im Jänner sorgten CVE-2019-19781 a.k.a. "Shitrix" und der Angriff auf das BMEIA für einen turbulenten Start und den Rest des Jahres beschäftigten uns unter anderem Emotet, Ransomware und nicht eingespielte Updates. Aber auch abseits vom Tagesgeschäft der IT-Sicherheit hat sich einiges getan [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/4/jahresbericht-2020-von-certat-und-govce… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483: Four Critical Microsoft Exchange Server Vulnerabilities Patched in April Patch Tuesday ∗∗∗ --------------------------------------------- One month after disclosing four zero-day vulnerabilities in Exchange Server, Microsoft addresses four additional vulnerabilities discovered by the National Security Agency (NSA). --------------------------------------------- https://de.tenable.com/blog/cve-2021-28480-cve-2021-28481-cve-2021-28482-cv… ∗∗∗ New WhatsApp Bugs Couldve Let Attackers Hack Your Phone Remotely ∗∗∗ --------------------------------------------- Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even compromise encrypted communications. The flaws take aim at devices running Android versions up to and including Android 9 by carrying out whats known as a "man-in-the-disk" attack [...] --------------------------------------------- https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.ht… ∗∗∗ Recent Patches Rock the Elementor Ecosystem ∗∗∗ --------------------------------------------- Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints. --------------------------------------------- https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (screen), Debian (clamav, courier-authlib, and tomcat9), Red Hat (thunderbird), SUSE (clamav, glibc, kernel, open-iscsi, opensc, spamassassin, thunderbird, wpa_supplicant, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/852627/ ∗∗∗ New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291) ∗∗∗ --------------------------------------------- CVE-2021-20291 leads to a denial of service of the container engines CRI-O and Podman when pulling a malicious image from a registry. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2021-20291/ ∗∗∗ Schneider Electric SoMachine Basic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Schneider Electric SoMachine Basic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-01 ∗∗∗ Advantech WebAccessSCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-02 ∗∗∗ JTEKT TOYOPUC products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Resource Shutdown or Release vulnerability in JTEKT TOYOPUC programmable logic controller products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Reflected cross-site scripting in Microsoft Azure DevOps Server ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-in-microso… ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0373 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2021
by Daily end-of-shift report 13 Apr '21

13 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-04-2021 18:00 − Dienstag 13-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ NAME:WRECK DNS vulnerabilities affect over 100 million devices ∗∗∗ --------------------------------------------- Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/name-wreck-dns-vulnerabiliti… ∗∗∗ RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers ∗∗∗ --------------------------------------------- An Indian security researcher has publicly published a proof-of-concept (PoC) exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. --------------------------------------------- https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html ∗∗∗ CISA Details Malware Found on Hacked Exchange Servers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware. --------------------------------------------- https://www.securityweek.com/cisa-details-malware-found-hacked-exchange-ser… ∗∗∗ Unseriöse Kreditkartenabbuchungen von screenacy.co ∗∗∗ --------------------------------------------- Wenn von Ihrer Kreditkarte monatlich ein Betrag von screenacy.co abgebucht wird, ohne dass Sie etwas bestellt oder abonniert haben, sind Sie höchstwahrscheinlich in eine Abo-Falle getappt. Viele Betroffene können nicht nachvollziehen, wo und warum es zu einem Vertragsabschluss gekommen ist - meist aber durch bewusste Täuschung. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-kreditkartenabbuchungen-v… ∗∗∗ Winter 2020 Network Attack Trends: Internet of Threats ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Threat Assessment: Clop Ransomware ∗∗∗ --------------------------------------------- In response to an uptick in Clop ransomware activity, we provide an overview and courses of action that can be used to mitigate it. --------------------------------------------- https://unit42.paloaltonetworks.com/clop-ransomware/ ∗∗∗ Threat Actor Type Inference and Characterization within Cyber Threat Intelligence. (arXiv:2103.02301v3 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence. --------------------------------------------- https://arxiv.org/abs/2103.02301 ===================== = Vulnerabilities = ===================== ∗∗∗ [20210402] - Core - Inadequate filters on module layout settings ∗∗∗ --------------------------------------------- Inadequate filters on module layout settings could lead to an LFI. --------------------------------------------- https://developer.joomla.org:443/security-centre/851-20210402-core-inadequa… ∗∗∗ [20210401] - Core - Escape xss in logo parameter error pages ∗∗∗ --------------------------------------------- Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages. --------------------------------------------- https://developer.joomla.org:443/security-centre/850-20210401-core-escape-x… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libpano13), Fedora (mosquitto and perl-Net-CIDR-Lite), Mageia (curl, mongodb, pdfbox, python-jinja2, rygel, spamassassin, tor, velocity, webkit2, and wireshark), openSUSE (umoci), Oracle (389-ds:1.4, kernel, and virt:ol and virt-devel:rhel), Red Hat (kernel and kpatch-patch), Slackware (dnsmasq and irssi), and SUSE (cifs-utils, rubygem-actionpack-4_2, and spamassassin). --------------------------------------------- https://lwn.net/Articles/852526/ ∗∗∗ Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices ∗∗∗ --------------------------------------------- An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage (NAS) devices that run the Surveillance Station video management system. --------------------------------------------- https://www.securityweek.com/exploit-released-critical-vulnerability-affect… ∗∗∗ SAP Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0370 ∗∗∗ ZDI-21-406: (0Day) Microsoft 3D Builder PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-406/ ∗∗∗ ZDI-21-405: (0Day) Microsoft Print 3D PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-405/ ∗∗∗ D-Bus vulnerability CVE-2020-12049 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16729408 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-163226 V1.0: CELL File Parsing Vulnerability in Tecnomatix RobotExpert ∗∗∗ --------------------------------------------- Siemens Tecnomatix RobotExpert version V16.1 fixes a vulnerability that could be triggered when the application reads CELL files. If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163226.txt ∗∗∗ SSA-185699 V1.0: Out of Bounds Write Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains two out of bounds write vulnerabilities in the handling of DNS responses that could allow an attacker to cause a denial-of-service condition or to remotely execute code. Siemens has released updates for several affected products [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-185699.txt ∗∗∗ SSA-187092 V1.0: Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200 ∗∗∗ --------------------------------------------- Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-187092.txt ∗∗∗ SSA-201384 V1.0: Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerability described in this advisories is from this set. The DNS client of affected products contains a vulnerability related to the handling of UDP port numbers in DNS requests that could allow an attacker to poison the DNS cache or spoof DNS resolving. Siemens has released updates for several affected products and recommends to update [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-201384.txt ∗∗∗ SSA-248289 V1.0: Denial-of-Service Vulnerabilities in the IPv6 Stack of Nucleus Products ∗∗∗ --------------------------------------------- The IPv6 stack of affected products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a denial-of-service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-248289.txt ∗∗∗ SSA-292794 V1.0: Multiple Denial-of-Service Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Server fixes two Denial-of-Service vulnerabilities in the underlying third-party XML parser. Siemens has released updates for the affected product and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-292794.txt ∗∗∗ SSA-497656 V1.0: Multiple NTP Vulnerabilities in TIM 4R-IE Devices ∗∗∗ --------------------------------------------- There are multiple vulnerabilities in the underlying NTP component of the affected TIM 4R-IE. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-497656.txt ∗∗∗ SSA-574442 V1.0: Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge to fix multiple vulnerabilities that could be triggered when the application reads files in different file formats (PAR, DFT extensions). If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-574442.txt ∗∗∗ SSA-669158 V1.0: DNS Client Vulnerabilities in SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669158.txt ∗∗∗ SSA-705111 V1.0: Vulnerabilities (NAME:WRECK) in DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a denial-of-service condition. Siemens has released updates for several --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-705111.txt ∗∗∗ SSA-761844 V1.0: Multiple Vulnerabilities in Control Center Server (CCS) ∗∗∗ --------------------------------------------- The advisory informs about multiple vulnerabilities in the Central Control Server (CCS) application, as initially reported in SSA-761617 on 2019-12-10 and SSA-844761 on 2020-03-10. The vulnerabilities involve authentication bypass (CVE-2019-18337, CVE-2019-18341), path traversal (CVE-2019-18338, CVE-2019-19290), information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291), privilege escalation (CVE-2019-18342), SQL injection (CVE-2019-19292), cross-site scripting [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt ∗∗∗ SSA-788287 V1.0: Disclosure of Private Data ∗∗∗ --------------------------------------------- Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-788287.txt ∗∗∗ SSA-853866 V1.0: User Credentials Disclosure Vulnerability in Siveillance Video Open Network Bridge (ONVIF) ∗∗∗ --------------------------------------------- Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. Siemens recommends to apply the hotfixes at the earliest opportunity. See also the chapter Additional Information, how to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-853866.txt ∗∗∗ SSA-983300 V1.0: Vulnerabilities in LOGO! Soft Comfort ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the LOGO! Soft Comfort software. These could allow an attacker to take over a system with the affected software installed. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-983300.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2021
by Daily end-of-shift report 12 Apr '21

12 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-04-2021 18:00 − Montag 12-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Top 10 Secrets of Admin Users ∗∗∗ --------------------------------------------- Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role. --------------------------------------------- https://www.beyondtrust.com/blog/entry/the-top-10-secrets-of-admin-users ∗∗∗ Pulse Secure VPN users cant login due to expired certificate ∗∗∗ --------------------------------------------- Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-… ∗∗∗ Microsoft warnt vor Banking-Trojanern ∗∗∗ --------------------------------------------- Eine neue Angriffsmethode von Banking-Trojanern beunruhigt Microsoft. IcedID, auch bekannt als BokBot, ist ein modularer Banking-Trojaner, der es auf die Finanzdaten der Anwender abgesehen hat und als Dropper für andere Malware fungieren kann. --------------------------------------------- https://www.zdnet.de/88394286/microsoft-warnt-vor-banking-trojanern/ ∗∗∗ Messenger-Dienst: Angreifer können Whatsapp-Nutzer aus dem Dienst aussperren ∗∗∗ --------------------------------------------- Durch den massenhaften Versuch, eine Telefonnummer bei Whatsapp zu registrieren, könnte diese letztlich von dem Dienst ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/messenger-dienst-angreifer-koennen-whatsapp-nutze… ∗∗∗ APKPure: Schadcode in App des alternativen Android-Stores entdeckt ∗∗∗ --------------------------------------------- Wer Android-Anwendungen über APKPure bezieht und dazu die gleichnamige App verwendet, sollte jetzt updaten: Forscher fanden Schadcode in der vorherigen Version. --------------------------------------------- https://heise.de/-6011340 ∗∗∗ Zahlreiche Probleme auf all4you-fashion.com ∗∗∗ --------------------------------------------- Immer häufiger beschäftigen die Watchlist Internet problematische Dropshipping-Angebote. Sie richten sich an österreichische und deutsche KonsumentInnen, halten dabei aber rechtliche Vorgaben nicht ein. Wer beispielsweise auf all4you-fashion.com bestellt, soll trotz „garantierten 30-tägigen Rückgaberechts“ Bearbeitungsgebühren für den Rücktritt bezahlen. Rechtlich muss ein solcher Widerruf aber kostenlos möglich sein. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-probleme-auf-all4you-fash… ∗∗∗ Schadsoftware infiziert halbe Million Huawei-Smartphones über offizielle App Gallery ∗∗∗ --------------------------------------------- Joker Malware war in mehreren Programmen versteckt - SMS-Betrug seit 2017 in immer neuen Formen --------------------------------------------- https://www.derstandard.at/story/2000125753278/schadsoftware-infiziert-halb… ∗∗∗ Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th) ∗∗∗ --------------------------------------------- Over the past several years I have used multiple pre-built sensors using readily available ISO images (rockNSM, SO, OPNSense, etc) but what I was really looking for was just a sensor to parse traffic (i.e Zeek) and IDS alerts (Suricata) to ELK. --------------------------------------------- https://isc.sans.edu/diary/rss/27296 ∗∗∗ How ransomware gangs are connected, sharing resources and tactics ∗∗∗ --------------------------------------------- New research by Analyst1 sheds light on the cooperation between some of the ransomware gangs dominating the cybersecurity news. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-c… ∗∗∗ Recording: Analyzing Android Malware — >From triage to reverse-engineering ∗∗∗ --------------------------------------------- Its easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/recording-analyzing-android-malw… ∗∗∗ Emotet Command and Control Case Study ∗∗∗ --------------------------------------------- We provide a step-by-step technical analysis of Emotet command and control, based on observations from before Emotet threat actors were disrupted. --------------------------------------------- https://unit42.paloaltonetworks.com/emotet-command-and-control/ ∗∗∗ Criminals spread malware using website contact forms with Google URLs ∗∗∗ --------------------------------------------- Crooks are using social engineering to exploit workers efforts to do their jobs. --------------------------------------------- https://www.zdnet.com/article/criminals-spread-malware-using-website-contac… ∗∗∗ Critical security alert: If you havent patched this old VPN vulnerability, assume your network is compromised ∗∗∗ --------------------------------------------- Hundreds of organisations that havent applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns. --------------------------------------------- https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched… ===================== = Vulnerabilities = ===================== ∗∗∗ Tripwire Patch Priority Index for March 2021 ∗∗∗ --------------------------------------------- Tripwire’s March 2021 Patch Priority Index (PPI) brings together important vulnerabilities from SaltStack, VWware, BIG-IP and Microsoft. First on the patch priority list this month are patches for vulnerabilities in Microsoft Exchange (CVE-2021-27065, CVE-2021-26855), SaltStack (CVE-2021-25282, CVE-2021-25281), BIG-IP (CVE-2021-22986) and VMware vCenter (CVE-2021-21972). Exploits for these vulnerabilities have been recently added to the Metasploit Exploit [...] --------------------------------------------- https://www.tripwire.com/state-of-security/vert/tripwire-patch-priority-ind… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/852339/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2021
by Daily end-of-shift report 09 Apr '21

09 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-04-2021 18:00 − Freitag 09-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Facebook-Leak: So könnten die Daten abhanden gekommen sein ∗∗∗ --------------------------------------------- Facebook und Linkedin bestreiten, dass es einen Einbruch gab. Andererseits enthalten die Leaks etwa Telefonnumern, die nicht öffentlich einsehbar sein sollten. --------------------------------------------- https://heise.de/-6009896 ∗∗∗ Gehackt: Windows, Ubuntu, Exchange, Teams, Zoom, Chrome, Safari und Edge ∗∗∗ --------------------------------------------- Für Prämien von insgesamt über 1 Million US-Dollar demonstrierten Hacker beim Pwn2Own 2021 erneut Sicherheitslücken in wichtigen IT-Produkten. --------------------------------------------- https://heise.de/-6010171 ∗∗∗ Sony bestätigt PS5-Betrug durch Fake-Shop "playstation-sony.eu" ∗∗∗ --------------------------------------------- Der aufwendig gestaltete Online-Shop gehört nicht zum Sony-Konzern. Analysen deuten auf ein großes Betrugs-Netzwerk hin. Spuren führen in die Ukraine. --------------------------------------------- https://heise.de/-6009907 ∗∗∗ Cisco: Keine Patches mehr für angreifbare SoHo-Router ∗∗∗ --------------------------------------------- Weil die Produkte nicht mehr unterstützt werden, will Cisco keine Fixes bereit stellen. Die Kunden sollen neuere Modelle kaufen. --------------------------------------------- https://heise.de/-6010387 ∗∗∗ Trojan detected in APKPure Android app store client software ∗∗∗ --------------------------------------------- Doctor Web specialists have discovered a malicious functionality in APKPure - an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission. The APKPure is one of the oldest and the most popular third-party games and software catalogs for the Android OS. --------------------------------------------- https://news.drweb.com/show/?i=14188&lng=en&c=9 ∗∗∗ IcedID Banking Trojan Surges: The New Emotet? ∗∗∗ --------------------------------------------- A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting its filling the Emotet void. --------------------------------------------- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ ∗∗∗ Threat matrix for storage services ∗∗∗ --------------------------------------------- Storage services are one of the most popular services in the cloud. In this blog, we outline potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment. --------------------------------------------- https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storag… ∗∗∗ [SANS ISC] No Python Interpreter? This Simple RAT Installs Its Own Copy ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "No Python Interpreter? This Simple RAT Installs Its Own Copy": For a while, I’m keeping an eye on malicious Python code targeting Windows environments. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. --------------------------------------------- https://blog.rootshell.be/2021/04/09/sans-isc-no-python-interpreter-this-si… ∗∗∗ Detecting Exposed Cobalt Strike DNS Redirectors ∗∗∗ --------------------------------------------- This research will focus on some of the active detections that can be used to fingerprint exposed Cobalt Strike servers that are using DNS as a communication channel. Although the research approach will be a bit different, the outcome will be similar to what JARM did for HTTP/HTTPs restricted to the scope of Cobalt Strike. --------------------------------------------- https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirect… ∗∗∗ Sysrv Botnet Expands and Gains Persistence ∗∗∗ --------------------------------------------- On March 4, 2021, Juniper Threat Labs identified a surge of activity of the Sysrv botnet. The botnet spread itself into Windows and Linux systems by exploiting multiple vulnerabilities, which we will cover in this blog. The threat actor’s objective is to install a Monero cryptominer. The attack remains active. Here’s what we’ve seen so far. --------------------------------------------- https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-ga… ∗∗∗ Cryptomining containers caught coining cryptocurrency covertly ∗∗∗ --------------------------------------------- Research has uncovered 30 compromised images in 10 different Docker Hub accounts, representing over 20 million pulls. --------------------------------------------- https://blog.malwarebytes.com/web-threats/2021/04/cryptomining-containers-c… ∗∗∗ A deep dive into Saint Bot, a new downloader ∗∗∗ --------------------------------------------- Saint Bot is a downloader that has been used to drop stealers. We take a deep look at it and its accompanying panel. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-sain… ∗∗∗ Vorsicht vor Kreditbetrug auf Facebook! ∗∗∗ --------------------------------------------- Die Auswirkungen der Corona-Krise sorgen immer noch dafür, dass viele Menschen von Finanzhilfen abhängig sind. Kriminelle nutzen dies aus und bieten auf Facebook angebliche Kredite und Darlehen an. Durch Kommentare und Privatnachrichten versuchen die BetrügerInnen das Vertrauen der Opfer zu gewinnen. Die Kredite werden jedoch niemals ausgezahlt, stattdessen sollen die Opfer Vorschusszahlungen leisten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kreditbetrug-auf-facebo… ∗∗∗ Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments ∗∗∗ --------------------------------------------- Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary - a Splunk-based dashboard - facilitates analysis of Sparrow data [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/08/using-aviary-to-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities Patched in WP Page Builder ∗∗∗ --------------------------------------------- On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-b… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lib3mf, php-pear, and python-django), Fedora (perl-Net-Netmask), openSUSE (flatpak, libostree, xdg-desktop-portal,, fwupd, fwupdate, and hostapd), Oracle (kernel, libldb, nettle, and squid), Red Hat (nettle), and SUSE (fwupdate, tpm2-tss-engine, and umoci). --------------------------------------------- https://lwn.net/Articles/852110/ ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Integer Underflow vulnerability in the FATEK Automation WinProladder programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-098-01 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0366 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0364 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0362 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2021
by Daily end-of-shift report 08 Apr '21

08 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-04-2021 18:00 − Donnerstag 08-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor täuschend echtem Fake-Shop, der PS5 verkauft ∗∗∗ --------------------------------------------- Der Online-Store scheint auf den ersten Blick seriös. Dahinter verstecken sich aber Betrüger. --------------------------------------------- https://futurezone.at/games/warnung-vor-taeuschend-echtem-fake-shop-der-ps5… ∗∗∗ Hackerangriffe auf Logistikunternehmen ∗∗∗ --------------------------------------------- ESET hat herausgefunden, dass die Lazarus-Gruppe Logistikunternehmen gezielt angreift. Das ist heikel, denn Ausfälle in der weltweiten Frachtlogistik können gravierende Folgen haben. --------------------------------------------- https://www.zdnet.de/88394254/hackerangriffe-auf-logistikunternehmen/ ∗∗∗ How to Know If You Are Under DDoS Attack ∗∗∗ --------------------------------------------- Nowadays, the term DDoS probably raises the heart rate of most webmasters. Though many don’t know exactly what a DDoS attack is, they do know the effect: an extremely sluggish or shut-down website. In this article, we’ll focus on how to know if your website is under attack and how to protect it. --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-know-if-you-are-under-a-ddos-attack.… ∗∗∗ [SANS ISC] Simple Powershell Ransomware Creating a 7Z Archive of your Files ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Simple Powershell Ransomware Creating a 7Z Archive of your Files“: If some ransomware families are based on PE files with complex features, it’s easy to write quick-and-dirty ransomware in other languages like Powershell. I found this sample while hunting. I’m pretty confident that this [...] --------------------------------------------- https://blog.rootshell.be/2021/04/08/sans-isc-simple-powershell-ransomware-… ∗∗∗ Vulnerability in Fortigate VPN servers is exploited in Cring ransomware attacks ∗∗∗ --------------------------------------------- In Q1 2021, threat actors conducted a series of attacks using the Cring ransomware. These attacks were mentioned in a Swisscom CSIRT tweet, but it remained unclear how the ransomware infects an organization's network. An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in Fortigate VPN servers. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigat… ∗∗∗ Update on git.php.net incident ∗∗∗ --------------------------------------------- Hi everyone, I would like to provide an update regarding the git.php.net security incident. To briefly summarize the most important information: - We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked. - master.php.net has been migrated to a new system main.php.net. - All php.net passwords have been reset. Go to https://main.php.net/forgot.php to set a new password. - git.php.net and svn.php.net are both read-only now, but will remain available for the time being. The following is a more detailed explanation of what happened and which actions were taken. --------------------------------------------- https://externals.io/message/113981 ∗∗∗ Office 365 phishing campaign uses publicly hosted JavaScript code ∗∗∗ --------------------------------------------- A new phishing campaign targeting Office 365 users cleverly tries to bypass email security protections by combining chunks of HTML code delivered via publicly hosted JavaScript code. The phishing email and page The subject of the phishing email says "price revision" and it contains no body - just an attachment (hercus-Investment 547183-xlsx.Html) that, at first glance, looks like an Excel document, but is actually an HTML document that contains encoded text pointing to two [...] --------------------------------------------- https://www.helpnetsecurity.com/2021/04/08/office-365-phishing-javascript/ ∗∗∗ Zoom zero-day discovery makes calls safer, hackers $200,000 richer ∗∗∗ --------------------------------------------- White hat hackers have demonstrated a Remote Code Execution attack against Zoom at the Pwn2Own event. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zer… ∗∗∗ Library Dependencies and the Open Source Supply Chain Nightmare ∗∗∗ --------------------------------------------- It’s a bigger problem than is immediately apparent, and has the potential for hacks as big as Equifax and as widespread as SolarWinds. --------------------------------------------- https://www.securityweek.com/library-dependencies-and-open-source-supply-ch… ∗∗∗ appleiphoneunlock.uk: Unseriöse Praktiken beim Entfernen der iCloud-Aktivierungssperre! ∗∗∗ --------------------------------------------- Sie haben ein gebrauchtes iPhone gekauft und erst im Nachhinein festgestellt, dass Sie es mit Ihrer iCloud-ID gar nicht nutzen können? Die Lösung: Die iCloud-Aktivierungssperre muss freigeschalten werden. Aber Achtung: Unseriöse Seiten bieten solche Entsperrungsdienste an. So zum Beispiel appleiphoneunlock.uk. KonsumentInnen berichten, dass die Angaben beim Bestellprozess irreführend sind und immer wieder weitere Kosten anfallen. --------------------------------------------- https://www.watchlist-internet.at/news/appleiphoneunlockuk-unserioese-prakt… ∗∗∗ Weiter fake Willhaben-SMS zu angeblicher PayLivery-Zahlung ∗∗∗ --------------------------------------------- Zahlreiche KonsumentInnen wenden sich momentan an die Watchlist Internet, da sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Die Nachricht der Kriminellen täuscht eine Zahlung vor und leitet auf gefälschte Willhaben-Seiten weiter. Die SMS müssen ignoriert werden, ansonsten droht ein Geld- und Datenverlust! --------------------------------------------- https://www.watchlist-internet.at/news/weiter-fake-willhaben-sms-zu-angebli… ∗∗∗ GamerInnen aufgepasst: So versuchen Kriminelle Ihren Steam-Account zu klauen! ∗∗∗ --------------------------------------------- Mit mehr als einer Milliarde aktiven NutzerInnen und mit über 30.000 Spielen ist Steam die größte Gaming-Plattform. Kein Wunder, dass die Plattform auch ein beliebtes Ziel für BetrügerInnen ist. Immer wieder geben sich Kriminelle als Steam-MitarbeiterInnen aus, um an die Accounts der SpielerInnen zu kommen. Wir zeigen Ihnen wie die Masche funktioniert und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/gamerinnen-aufgepasst-so-versuchen-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Azure Functions Weakness Allows Privilege Escalation ∗∗∗ --------------------------------------------- Microsofts cloud-container technology allows attackers to directly write to files, researchers said. --------------------------------------------- https://threatpost.com/azure-functions-privilege-escalation/165307/ ∗∗∗ Cisco: Wichtige Updates beseitigen aus der Ferne attackierbare Sicherheitslücken ∗∗∗ --------------------------------------------- Die ersten Cisco-Updates nach den Feiertagen zielen unter anderem auf die SD-WAN vManage Software und Small Business RV Router. Zwei Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-6008277 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libldb, rpm, samba, and seamonkey), openSUSE (isync), Oracle (kernel), Red Hat (openssl and squid), SUSE (ceph, flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk, fwupd, fwupdate, and openexr), and Ubuntu (curl, linux-lts-trusty, and lxml). --------------------------------------------- https://lwn.net/Articles/851956/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0361 ∗∗∗ ClamAV: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0358 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2021
by Daily end-of-shift report 07 Apr '21

07 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-04-2021 18:00 − Mittwoch 07-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Windows XP makes ransomware gangs work harder for their money ∗∗∗ --------------------------------------------- A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-xp-makes-ransomware-… ∗∗∗ Top Cybercriminal Gangs Are Using EtterSilent Maldoc Builder ∗∗∗ --------------------------------------------- A malicious document builder named EtterSilent is becoming popular amongst cybercriminals as the developers keep improving it in order to avoid being detected by security solutions. --------------------------------------------- https://heimdalsecurity.com/blog/top-cybercriminal-gangs-are-using-ettersil… ∗∗∗ Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th) ∗∗∗ --------------------------------------------- Couple of weeks ago, my phishing/spam trap caught an interesting e-mail carrying what turned out to be a sample of the Lokibot Infostealer. --------------------------------------------- https://isc.sans.edu/diary/rss/27282 ∗∗∗ WiFi IDS and Private MAC Addresses, (Wed, Apr 7th) ∗∗∗ --------------------------------------------- Nzyme does focus on WiFi-specific attacks, so it does not care about payload but inspects the 802.11 headers that escape traditional, wired IDSs. --------------------------------------------- https://isc.sans.edu/diary/rss/27288 ∗∗∗ New article: Dissecting the design and vulnerabilities in AZORult C&C panels ∗∗∗ --------------------------------------------- In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his teams findings related to the C&C design and some security issues they identified. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-dissecting-design-an… ∗∗∗ Aurora campaign: Attacking Azerbaijan using multiple RATs ∗∗∗ --------------------------------------------- We identified a new Python-based RAT targeting Azerbaijan from the same threat actor we profiled a month ago. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attac… ∗∗∗ Fake Trezor app steals more that $1 million worth of crypto coins ∗∗∗ --------------------------------------------- Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have lost fortunes after being duped by a phishing app. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/fake-trezor-app-st… ∗∗∗ White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021 ∗∗∗ --------------------------------------------- On the first day of the Pwn2Own 2021 hacking competition, participants earned more than half a million dollars, including $440,000 for demonstrating exploits against Microsoft products. --------------------------------------------- https://www.securityweek.com/white-hats-earn-440000-hacking-microsoft-produ… ∗∗∗ New wormable Android malware poses as Netflix to hijack WhatsApp sessions ∗∗∗ --------------------------------------------- Users are lured in with the promise of a free premium subscription. --------------------------------------------- https://www.zdnet.com/article/new-android-malware-poses-as-netflix-to-hijac… ∗∗∗ Flexible taxonomies and new software for the tag2domain project ∗∗∗ --------------------------------------------- Domain Names are the center piece of locating services on the internet and they can be used for a variety of purposes and services. Understanding the type of services a Domain Name offers is one of the key aspects of Internet Security. --------------------------------------------- https://cert.at/en/blog/2021/4/flexible-taxonomies-and-new-software-for-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Notenmanipulation möglich: Große Schwachstelle in Lern-Software Moodle ∗∗∗ --------------------------------------------- Die freie Lernplattform Moodle wies über Jahre eine Sicherheitslücke auf, mit der Schüler unter anderem ihre Noten manipulieren konnten. --------------------------------------------- https://www.golem.de/news/notenmanipulation-moeglich-grosse-schwachstelle-i… ∗∗∗ Upload beliebiger Dateien und Umgehung von .htaccess Regeln in Monospace Directus Headless CMS ∗∗∗ --------------------------------------------- Monospace Directus CMS Docker Images, welche Apache als Webserver mit lokalem Storage nutzen, sind von einer Schwachstelle betroffen, über die jeder authentifizierte Nutzer beliebige Dateien und Ordner hochladen kann. In unveränderter Standard-Konfiguration ist Directus somit anfällig für Remote Code Execution und Veränderung von Webserver .htaccess Regeln. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload… ∗∗∗ SAP-Produkte: CISA warnt vor Gefahren durch verschleppte Sicherheitsupdates ∗∗∗ --------------------------------------------- Die CISA und Forscher von Onapsis warnen vor Angriffsmöglichkeiten auf SAP-Produkte über sechs ältere Schwachstellen. Updates sind teils schon lange verfügbar. --------------------------------------------- https://heise.de/-6007209 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (chromium), Oracle (flatpak and kernel), Red Hat (virt:8.3 and virt-devel:8.3), and SUSE (gssproxy and xen). --------------------------------------------- https://lwn.net/Articles/851868/ ∗∗∗ Hitachi ABB Power Grids Multiple Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in some Hitachi ABB Power Grids products using IED 61850 interfaces. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-096-01 ∗∗∗ Security Advisory - Pointer Double Free Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2021
by Daily end-of-shift report 06 Apr '21

06 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-04-2021 18:00 − Dienstag 06-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malicious cheats for Call of Duty: Warzone are circulating online ∗∗∗ --------------------------------------------- The cheat is fake, but the malware it installs is the real thing. --------------------------------------------- https://arstechnica.com/?p=1754269 ∗∗∗ Telefonnummer, E-Mail: Bin ich im Facebook-Leak? ∗∗∗ --------------------------------------------- Auf verschiedenen Webseiten können Nutzer prüfen, ob sie zu den 533 Millionen Betroffenen des Facebook-Datenlecks gehören. --------------------------------------------- https://www.golem.de/news/telefonnummer-e-mail-bin-ich-im-facebook-leak-210… ∗∗∗ Kryptomining: Coinhive-Skripte warnen vor sich selbst ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Troy Hunt hat die Domains des Kryptominers Coinhive bekommen. Mit ihnen macht er auf Sicherheitsprobleme aufmerksam. --------------------------------------------- https://www.golem.de/news/kryptomining-coinhive-skripte-warnen-vor-sich-sel… ∗∗∗ The leap of a Cycldek-related threat actor ∗∗∗ --------------------------------------------- The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector. --------------------------------------------- https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/ ∗∗∗ From PowerShell to Payload: An Analysis of Weaponized Malware ∗∗∗ --------------------------------------------- John Hammond, security researcher with Huntress, takes a deep-dive into a stagers technical and coding aspects. --------------------------------------------- https://threatpost.com/powershell-payload-analysis-malware/165188/ ∗∗∗ YARA and CyberChef: ZIP, (Sun, Apr 4th) ∗∗∗ --------------------------------------------- When processing the result of "unzip" in CyberChef, for example with YARA rules, all files contained inside the ZIP file, are concatenated together. --------------------------------------------- https://isc.sans.edu/diary/rss/27276 ∗∗∗ Gigaset: Malware-Befall von Android-Geräten des Herstellers gibt Rätsel auf ∗∗∗ --------------------------------------------- Besitzer von Android-Smartphones von Gigaset kämpfen seit einigen Tagen mit Malware. Einiges deutet auf einen kompromittierten Update-Server als Quelle hin. --------------------------------------------- https://heise.de/-6006464 ∗∗∗ Man in the Terminal ∗∗∗ --------------------------------------------- By using path hijacking and modification on Unix-like machines, we can achieve pseudo-keylogging functionality by prioritizing malicious middleware binaries to record and transfer standard input/output streams. --------------------------------------------- https://posts.specterops.io/man-in-the-terminal-65476e6165b9 ∗∗∗ 2020 Phishing Trends With PDF Files ∗∗∗ --------------------------------------------- We analyzed recent phishing trends with PDF files and noted a dramatic increase in the practice, as well as five approaches popular with attackers. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/ ∗∗∗ SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications ∗∗∗ --------------------------------------------- New research also reveals that SAP vulnerabilities, on average, are weaponized in less than 72 hours. --------------------------------------------- https://www.zdnet.com/article/sap-issues-advisory-on-vulnerable-application… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Out-of-bounds write vulnerabilities in Accusoft ImageGear ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a [...] --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-accusoft-image-ge… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java, php-nette, and smarty3), Fedora (curl, openssl, spamassassin, and webkit2gtk3), Mageia (ant, batik, kernel, kernel-linus, nodejs-chownr, nodejs-yargs-parser, python-bottle, and ruby-em-http-request), openSUSE (curl and OpenIPMI), and Red Hat (openssl). --------------------------------------------- https://lwn.net/Articles/851640/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, netty, python-bleach, and python3.5), Fedora (libmediainfo, libzen, and mediainfo), Mageia (openssl), openSUSE (chromium), Red Hat (389-ds:1.4, flatpak, kernel, kernel-rt, kpatch-patch, libldb, and virt:rhel and virt-devel:rhel), and Ubuntu (python-django and ruby-rack). --------------------------------------------- https://lwn.net/Articles/851772/ ∗∗∗ Android Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0344 ∗∗∗ QTS 4.3.6.1620 Build 20210322 ∗∗∗ --------------------------------------------- Security Updates Fixed a command injection vulnerability (CVE-2020-2509). Fixed a vulnerability in Apache HTTP server (CVE-2020-9490). --------------------------------------------- https://www.qnap.com/en/release-notes/qts/4.3.6.1620/20210322 ∗∗∗ Shodan Verified Vulns 2021-04-01 ∗∗∗ --------------------------------------------- Der März verging Dank (?) den Exchange-Schachstellen wie im Flug und wir werfen entsprechend wieder einen Blick auf jene Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-04-01 ergab sich Folgendes: Es ist also passiert! Mit einem Schlag sind die TLS-Schwachstellen (fast) vom Thron gestoßen – die Microsoft Exchange Lücken greifen nach der Spitze. --------------------------------------------- https://cert.at/de/aktuelles/2021/4/shodan-verified-vulns-2021-04-01 ∗∗∗ April 5, 2021 TNS-2021-07 [R1] Nessus 8.14.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-07 ∗∗∗ Grafana vulnerability CVE-2019-15043 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00843201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2021
by Daily end-of-shift report 02 Apr '21

02 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-04-2021 18:00 − Freitag 02-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 5 steps to respond to a data breach ∗∗∗ --------------------------------------------- This blog was written by an independent guest blogger. You’ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/5-steps-to-respond-… ∗∗∗ VMware fixes authentication bypass in data center security software ∗∗∗ --------------------------------------------- VMware has addressed a critical vulnerability in the VMware Carbon Black Cloud Workload appliance that could allow attackers to bypass authentication after exploiting vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-authentication-… ∗∗∗ New ‘BazarCall’ Malware Uses Call Centers to Trick its Victims into Infecting Themselves ∗∗∗ --------------------------------------------- Today’s hackers have never been more old-fashioned – they are currently using a telephone call as a “brand new “technique to infect their victim’s devices. --------------------------------------------- https://heimdalsecurity.com/blog/bazarcall-malware-uses-call-centers-to-tri… ∗∗∗ Browser lockers: extortion disguised as a fine ∗∗∗ --------------------------------------------- In this article we discuss browser lockers that mimic law enforcement websites. --------------------------------------------- https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/ ∗∗∗ Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting ∗∗∗ --------------------------------------------- A probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking enables us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages. --------------------------------------------- https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-… ∗∗∗ [SANS ISC] C2 Activity: Sandboxes or Real Victims? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “C2 Activity: Sandboxes or Real Victims?“: In my last diary, I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/02/sans-isc-c2-activity-sandboxes-or-real… ∗∗∗ A “txt file” can steal all your secrets ∗∗∗ --------------------------------------------- Recently, 360 Security Center’s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight. --------------------------------------------- https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/ ∗∗∗ Unpatched RCE Flaws Affect Tens of Thousands of QNAP SOHO NAS Devices ∗∗∗ --------------------------------------------- A pair of unpatched vulnerabilities in QNAP small office/home office (SOHO) network attached storage (NAS) devices could allow attackers to execute code remotely, according to a warning from security researchers at SAM Seamless Network. --------------------------------------------- https://www.securityweek.com/unpatched-rce-flaws-affect-tens-thousands-qnap… ∗∗∗ Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms ∗∗∗ --------------------------------------------- Industrial automation giant Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product. --------------------------------------------- https://www.securityweek.com/nine-critical-flaws-factorytalk-product-pose-s… ∗∗∗ Financial Sector Remains Most Targeted by Threat Actors: IBM ∗∗∗ --------------------------------------------- Organizations in the financial and insurance sectors were the most targeted by threat actors in 2020, continuing a trend that was first observed roughly five years ago, IBM Security reports. --------------------------------------------- https://www.securityweek.com/financial-sector-remains-most-targeted-threat-… ∗∗∗ Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool ∗∗∗ --------------------------------------------- We review samples of recent Hancitor infections, share relatively new indicators and provide examples of an associated network ping tool. --------------------------------------------- https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/ ∗∗∗ The best laid plans or lack thereof: Security decision-making of different stakeholder groups. (arXiv:2104.00284v1 [cs.CR]) ∗∗∗ --------------------------------------------- Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security [...] --------------------------------------------- http://arxiv.org/abs/2104.00284 ∗∗∗ FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-ad… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Jabber for Windows DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- Version: 1.2 Description: Added information about additional software fixes because of a regression that reintroduced this vulnerability in subsequent software versions. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) ∗∗∗ --------------------------------------------- # Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 https://github.com/Al1ex/CVE-2021-22986 --------------------------------------------- https://www.exploit-db.com/exploits/49738 ∗∗∗ K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- Indicators of compromise Important: F5 last updated this section on March 26, 2021 at 5:45 PM Pacific time. The information in this section is based on evidence that F5 has collected and believes to be reliable indicators of compromise. It is important to note that exploited systems may show different indicators, and a skilled attacker may be able to remove traces of their work. It is impossible to prove a device is not compromised; if you have any uncertainty, consider the device to be compromised. --------------------------------------------- https://support.f5.com/csp/article/K03009991 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr). --------------------------------------------- https://lwn.net/Articles/851511/ ∗∗∗ March 31, 2021 TNS-2021-05 [R1] Nessus 8.13.2 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2021
by Daily end-of-shift report 01 Apr '21

01 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-03-2021 18:00 − Donnerstag 01-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Datenleck bei Ubiquiti war deutlich umfassender ∗∗∗ --------------------------------------------- Laut einem Bericht konnten die Angreifer auf Quellcode und Credentials von Ubiquiti zugreifen. Der Netzwerkgerätehersteller widerspricht nicht. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-datenleck-bei-ubiquiti-war-deut… ∗∗∗ Who Contains the Containers? ∗∗∗ --------------------------------------------- This is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights into what to look for if you’re researching this area. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html ∗∗∗ Changes in Sinkhole and Honeypot Report Types and Formats ∗∗∗ --------------------------------------------- Over the years, Shadowserver’s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01. --------------------------------------------- https://www.shadowserver.org/news/changes-in-sinkhole-and-honeypot-report-t… ∗∗∗ The Importance of Website Backups ∗∗∗ --------------------------------------------- Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into the category of precious digital assets --------------------------------------------- https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html ∗∗∗ Back in a Bit: Attacker Use of the Windows Background IntelligentTransfer Service ∗∗∗ --------------------------------------------- Microsoft introduced the Background Intelligent Transfer Service (BITS) with Windows XP to simplify and coordinate downloading and uploading large files. Applications and system components, most notably Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal user disruption. [...] As is the case with many technologies, BITS can be used both by legitimate applications and by attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-window… ∗∗∗ DoS-Lücke in Virtualisierungsplattform Citrix Hypervisor geschlossen ∗∗∗ --------------------------------------------- Abgesicherte Versionen von Citrix Hypervisor verhindern Zugriffe auf Host-Systeme. --------------------------------------------- https://heise.de/-6003757 ∗∗∗ Report: USB threats to ICS systems have nearly doubled ∗∗∗ --------------------------------------------- The latest Honeywell USB Threat Report 2020 indicates that the number of threats specifically targeting Operational Technology systems has nearly doubled from 16% to 28%, while the number of threats capable of disrupting those systems rose from 26% to 59% over the same period. --------------------------------------------- https://www.tripwire.com/state-of-security/ics-security/report-usb-threats-… ∗∗∗ Digital Forensics vs. Anti-Digital Forensics: Techniques, Limitations and Recommendations. (arXiv:2103.17028v1 [cs.CR]) ∗∗∗ --------------------------------------------- The number of cyber attacks has increased tremendously in the last few years. This resulted into both human and financial losses at the individual and organization levels. Recently, cyber-criminals are leveraging new skills and capabilities by employing anti-forensics activities, techniques and tools to cover their tracks and evade any possible detection. --------------------------------------------- http://arxiv.org/abs/2103.17028 ∗∗∗ Is your dishwasher trying to kill you? ∗∗∗ --------------------------------------------- Does every device in your home really need to be connected to the internet? And could it be turned against you? --------------------------------------------- https://www.welivesecurity.com/2021/04/01/is-your-dishwasher-trying-kill-yo… ∗∗∗ CISA Releases Supplemental Direction on Emergency Directive for Microsoft Exchange Server Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued supplemental direction to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities providing additional forensic triage and server hardening, requirements for federal agencies. Specifically, this update directs federal departments and agencies to run newly developed tools - Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT - to investigate whether their Microsoft Exchange [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/cisa-releases-sup… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-399: (0Day) D-Link DIR-882 HNAP Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-882 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-399/ ∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗ --------------------------------------------- On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Fast Reload Vulnerabilities ∗∗∗ --------------------------------------------- Version: 1.1 Description: Added Catalyst 3650 switches as affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS). These patches resolve multiple vulnerabilities related to improper access control and incorrect permission assignment privilege escalation as well as insecure file permissions. --------------------------------------------- https://success.trendmicro.com/solution/000286019 ∗∗∗ VMSA-2021-0005 ∗∗∗ --------------------------------------------- VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0005.html ∗∗∗ VMSA-2021-0004.1 - VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983) ∗∗∗ --------------------------------------------- 2021-03-31: VMSA-2021-0004.1 - Updated advisory with information on vROps 7.0.0 workarounds. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0004.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/851381/ ∗∗∗ Rockwell Automation FactoryTalk AssetCentre ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, Deserialization of Untrusted Data, SQL Injection, and Improperly Restricted Functions vulnerabilities in Rockwell Automation FactoryTalk AssetCentre automation software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-091-01 ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331… ∗∗∗ Security Advisory - Arbitrary Memory Write Vulnerability in Huawei Smart Phone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331… ∗∗∗ March 31, 2021 TNS-2021-06 [R1] Tenable.sc 5.18.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-06 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0334 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2021
by Daily end-of-shift report 31 Mar '21

31 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-03-2021 18:00 − Mittwoch 31-03-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Financial Cyberthreats in 2020 ∗∗∗ --------------------------------------------- This research is a continuation of our annual financial threat reports providing an overview of the latest trends and key events across the financial threat landscape. The study covers the common phishing threats, along with Windows and Android-based financial malware. --------------------------------------------- https://securelist.com/financial-cyberthreats-in-2020/101638/ ∗∗∗ Ziggy Ransomware Gang Offers Refunds to Victims ∗∗∗ --------------------------------------------- Ziggy joins Fonix ransomware group and shuts down, with apologies to targets. --------------------------------------------- https://threatpost.com/ziggy-ransomware-gang-offers-refund-to-victims/16512… ∗∗∗ 3MinMax Series Topic Review - Apple Acquisition ∗∗∗ --------------------------------------------- Apple devices are an entirely different platform than Windows, and there are many different considerations when preparing to acquire an Apple machine. --------------------------------------------- https://www.sans.org/blog/3minmax-series-topic-review---apple-acquisition ∗∗∗ [SANS ISC] Quick Analysis of a Modular InfoStealer ∗∗∗ --------------------------------------------- This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. --------------------------------------------- https://blog.rootshell.be/2021/03/31/sans-isc-quick-analysis-of-a-modular-i… ∗∗∗ Whistleblower: Ubiquiti Breach “Catastrophic” ∗∗∗ --------------------------------------------- On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. --------------------------------------------- https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrop… ∗∗∗ The Often-Overlooked Element of a Hack: Endpoints ∗∗∗ --------------------------------------------- It is Vital to Maintain Granular Visibility and Control Over Access Points to Establish Resilience --------------------------------------------- https://www.securityweek.com/often-overlooked-element-hack-endpoints ∗∗∗ Vorsicht beim Fahrrad-Kauf: marti-bosom.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Mit den wärmer werdenden Temperaturen beginnt die Fahrrad-Saison. Für viele ist es die Zeit, um sich ein neues Fahrrad zu kaufen. Aufgrund der anhaltenden Corona-Krise passiert das immer öfter online. Hier gilt es jedoch vorsichtig zu sein, da es auch in diesem Bereich betrügerische Fake-Shops gibt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-fahrrad-kauf-marti-bos… ∗∗∗ Ransomware: Why were now facing a perfect storm ∗∗∗ --------------------------------------------- Normalising the act of paying a ransom to cyber criminals does nothing to protect anyone against ransomware, warns report. --------------------------------------------- https://www.zdnet.com/article/ransomware-why-were-now-facing-a-perfect-stor… ∗∗∗ Gaming mods, cheat engines are spreading Trojan malware and planting backdoors ∗∗∗ --------------------------------------------- Mods and cheat systems for games are being exploited to deploy information-stealing malware. --------------------------------------------- https://www.zdnet.com/article/gaming-tools-backdoored-cheat-engines-are-now… ∗∗∗ BLEKeeper: Response Time Behavior Based Man-In-The-Middle Attack Detection ∗∗∗ --------------------------------------------- Bluetooth Low Energy (BLE) has become one of the most popular wireless communication protocols and is used in billions of smart devices. Despite several security features, the hardware and software limitations of thesedevices makes them vulnerable to man-in-the-middle (MITM) attacks. --------------------------------------------- http://arxiv.org/abs/2103.16235 ===================== = Vulnerabilities = ===================== ∗∗∗ Fake jQuery files infect WordPress sites with malware ∗∗∗ --------------------------------------------- Researchers have spotted counterfeit versions of the jQuery Migrate plugin injected on dozens of websites which contains obfuscated code to load malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-jquery-files-infect-wor… ∗∗∗ Angreifer könnten Admin-Zugangsdaten von VMware vRealize kopieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Management-Software für Cloud-Umgebungen vRealize Operations. --------------------------------------------- https://heise.de/-6002805 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, ldb, leptonlib, and linux-4.19), Fedora (busybox), Gentoo (openssl, redis, salt, and sqlite), Mageia (firefox, fwupd, glib2.0, python-aiohttp, radare2, thunderbird, and zeromq), openSUSE (firefox), SUSE (ovmf, tomcat, and zabbix), and Ubuntu (curl, lxml, and pygments). --------------------------------------------- https://lwn.net/Articles/851269/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 89.0.4389.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/google-releases-s… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000286157 ∗∗∗ Multiple dnsmasq vulnerabilities CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98221124 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0333 ∗∗∗ Denial of Service in Rexroth ActiveMover using EtherNet/IP protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-282922.html ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ SYSS-2021-006: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-006-sql-injection-schwachstelle-… ∗∗∗ SYSS-2021-005: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-005-sql-injection-schwachstelle-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2021
by Daily end-of-shift report 30 Mar '21

30 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 29-03-2021 18:00 − Dienstag 30-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Card Complete: Warnung vor täuschend echten Phishing-Mails ∗∗∗ --------------------------------------------- Es sind aktuell vermeintliche Mails von Card Complete im Umlauf, die täuschend echt aussehen. --------------------------------------------- https://futurezone.at/digital-life/card-complete-warnung-vor-taeuschend-ech… ∗∗∗ IT-Sicherheitsexperte: "Bei den Exchange-Fällen waren wir am Limit" ∗∗∗ --------------------------------------------- Tim Philipp Schäfers hilft aktuell Firmen, Sicherheitslücken in Exchange zu schließen. Einige hätten Schäden recht einfach verhindern können, sagt er. Ein Interview von Moritz Tremmel --------------------------------------------- https://www.golem.de/news/it-sicherheitsexperte-bei-den-exchange-faellen-wa… ∗∗∗ New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats ∗∗∗ --------------------------------------------- The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-stu… ∗∗∗ Old TLS versions - gone, but not forgotten... well, not really "gone" either, (Tue, Mar 30th) ∗∗∗ --------------------------------------------- With the recent official deprecation of TLS 1.0 and TLS 1.1 by RFC 8996[1], a step, which has long been in preparation and which was preceded by many recommendations to discontinue the use of both protocols (as well as by the removal of support for them from all mainstream web browsers[2]), one might assume that the use of old TLS versions on the internet would have significantly decreased over the last few months. This has however not been the case. --------------------------------------------- https://isc.sans.edu/diary/rss/27260 ∗∗∗ You Just Received 25k USD in Your BTC Account! A Practical Phishing Defense Tutorial ∗∗∗ --------------------------------------------- >From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service. However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/you-just-re… ∗∗∗ Unfair exchange: ransomware attacks surge globally amid Microsoft Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- Following the recent disclosure of vulnerabilities affecting Microsoft Exchange Servers, Check Point Research (CPR) has observed a global surge in the number of ransomware attacks. In fact, since the beginning of 2021, there has been a 9% increase monthly in organizations affected ransomware. This uptick includes a 57% increase in organizations affected by ransomware in the past 6 months. --------------------------------------------- https://blog.checkpoint.com/2021/03/30/unfair-exchange-ransomware-attacks-s… ∗∗∗ Malicious commits found in PHP code repository: What you need to know ∗∗∗ --------------------------------------------- The PHP Git repository compromise is in the news. We break it down for you, and tell you what you need to know. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2021/03/malicious-commits-found-in-… ∗∗∗ Akamai Sees Largest DDoS Extortion Attack Known to Date ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are growing bigger in volume, and they have also become more targeted and increasingly persistent, according to web security services provider Akamai. --------------------------------------------- https://www.securityweek.com/akamai-sees-largest-ddos-extortion-attack-know… ∗∗∗ Kaufen Sie Corona-Tests nicht auf Kleinanzeigenplattformen ∗∗∗ --------------------------------------------- Durch die Initiative "Alles gurgelt" erhalten Wienerinnen und Wiener kostenlose PCR-Gurgeltests in allen Wiener BIPA-Filialen. Pro Person können bis zu 4 Selbsttests pro Woche abgeholt werden. Einige versuchen sich mit diesem Angebot jedoch ein kleines Taschengeld dazu zu verdienen und bieten die Gratis-Tests in Kleinanzeigenportalen an. Die Stadt Wien rät davon ab, die kostenlosen Tests auf Kleinanzeigenportalen zu kaufen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-corona-tests-nicht-auf-kl… ∗∗∗ Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks ∗∗∗ --------------------------------------------- Data-stealing ransomware attacks, information harvesting malware, and supply chain attacks are some of the critical threats facing organizations highlighted in F-Secure's latest attack landscape update. --------------------------------------------- https://blog.f-secure.com/attack-landscape-update-h1-2021/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ArcGIS general raster security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been identified when processing specially crafted files that may allow arbitrary code execution in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier). Esri has released updates for the affected products that resolve the high-risk vulnerabilities here. --------------------------------------------- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-ad… ∗∗∗ Xen Security Advisory CVE-2021-28688 / XSA-371 - Linux: blkback driver may leak persistent grants ∗∗∗ --------------------------------------------- A malicious or buggy frontend driver may be able to cause resource leaks from the corresponding backend driver. This can result in a host-wide Denial of Sevice (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-371.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lxml), Fedora (openssl, pdfbox, rpm, and rubygem-kramdown), openSUSE (eclipse), Oracle (flatpak and openssl), Red Hat (curl, kernel, kpatch-patch, mariadb, nss-softokn, openssl, perl, and tomcat), and SUSE (firefox, ovmf, and tar). --------------------------------------------- https://lwn.net/Articles/851164/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Two security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR. --------------------------------------------- https://support.citrix.com/article/CTX306565 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0327 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0325 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2021
by Daily end-of-shift report 29 Mar '21

29 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-03-2021 18:00 − Montag 29-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Git-Hosting: Angriff auf PHPs Code-Repository ∗∗∗ --------------------------------------------- Im Git-Repository von PHP wurden zwei Hintertüren eingefügt. Als Konsequenz will man den Code künftig nicht mehr selbst hosten. --------------------------------------------- https://www.golem.de/news/git-hosting-angriff-auf-phps-code-repository-2103… ∗∗∗ Spyware: Android-Malware gibt sich als Systemupdate aus ∗∗∗ --------------------------------------------- Über den Trojaner, der sich als Android-Update ausgibt, lassen sich die betroffenen Geräte komplett übernehmen. --------------------------------------------- https://www.golem.de/news/spyware-android-malware-gibt-sich-als-systemupdat… ∗∗∗ Here Are the Free Ransomware Decryption Tools You Need to Use [2021 Updated] ∗∗∗ --------------------------------------------- If your network gets infected with ransomware, follow the steps below to recover essential data: Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will give you access to your data. Step 2: Find any available backups you have, and consider keeping your data backups in secure, off-site locations. Step [...] --------------------------------------------- https://heimdalsecurity.com/blog/ransomware-decryption-tools/ ∗∗∗ Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th) ∗∗∗ --------------------------------------------- Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6] --------------------------------------------- https://isc.sans.edu/diary/rss/27248 ∗∗∗ [SANS ISC] Jumping into Shellcode ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Jumping into Shellcode“: Malware analysis is exciting because you never know what you will find. In previous diaries, I already explained why it’s important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code [...] --------------------------------------------- https://blog.rootshell.be/2021/03/29/sans-isc-jumping-into-shellcode/ ∗∗∗ Analyzing And Micropatching With Tetrane REVEN (Part 1, CVE-2021-26897) ∗∗∗ --------------------------------------------- March 2021 Windows Updates included fixes for seven vulnerabilities in Windows DNS Server, two of which were marked by Microsoft as "Exploitation More Likely": CVE-2021-26877 and CVE-2021-26897. They were not known to be exploited and no details were publicly available until security researchers Eoin Carroll and Kevin McGrath published their analysis on McAfee Labs blog. Their article included enough information for us to reproduce both vulnerabilities, [...] --------------------------------------------- https://blog.0patch.com/2021/03/analyzing-and-micropatching-with.html ∗∗∗ Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims ∗∗∗ --------------------------------------------- Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators. --------------------------------------------- https://www.securityweek.com/hades-ransomware-hits-big-firms-operators-slow… ∗∗∗ Threat Assessment: Matrix Ransomware ∗∗∗ --------------------------------------------- We provide an overview of the Matrix ransomware family and offer indicators of compromise in this companion to the Unit 42 Ransomware Threat Report. --------------------------------------------- https://unit42.paloaltonetworks.com/matrix-ransomware/ ∗∗∗ Sodinokibi (aka REvil) Ransomware ∗∗∗ --------------------------------------------- Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind [...] --------------------------------------------- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Post-Compromise Attack Activity Shared by Microsoft ∗∗∗ --------------------------------------------- In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet. --------------------------------------------- https://heimdalsecurity.com/blog/exchange-server-post-compromise-attack-act… ∗∗∗ Sicherheitslücke: npm-Paket Netmask ignoriert das Oktalsystem in IP-Adressen ∗∗∗ --------------------------------------------- Die verbreitete Library wertet Oktalzahlen nicht korrekt aus und interpretiert dadurch unter anderem private Adressen potenziell als öffentlich und umgekehrt. --------------------------------------------- https://heise.de/-6000759 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE [...] --------------------------------------------- https://lwn.net/Articles/851061/ ∗∗∗ Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux ∗∗∗ --------------------------------------------- Bugs could allow a malicious user to access data belonging to other users. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sp… ∗∗∗ Philips Gemini PET/CT Family ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Storage of Sensitive Data in a Mechanism Without Access Control vulnerability in Philips Gemini PET/CT Family scanners. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-084-01 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-01 ∗∗∗ Apple Security Updates March 26 2021 - Possible in the Wild Exploitation ∗∗∗ --------------------------------------------- Apple has published security updates for iOS, iOS and iPadOS, and watchOS. The updates all address the same, single vulnerability, in WebKit. The vulnerability may have been exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/f7a453892e4d0d7f1e0a77077ea… ∗∗∗ CVE-2021-25646: Getting Code Execution on Apache Druid ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Prosenjit Sinha of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache Druid database. The bug was originally discovered and reported by Litch1 from the Security Team of Alibaba Cloud. The following is a portion of their write-up covering CVE-2021-25646, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution… ∗∗∗ [webapps] WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49718 ∗∗∗ OpenSSL vulnerability CVE-2021-3449 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83623027 ∗∗∗ OpenSSL vulnerability CVE-2021-3450 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52171694 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2021
by Daily end-of-shift report 26 Mar '21

26 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-03-2021 18:00 − Freitag 26-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI exposes weakness in Mamba ransomware, DiskCryptor ∗∗∗ --------------------------------------------- An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamb… ∗∗∗ Office macro execution evidence, (Fri, Mar 26th) ∗∗∗ --------------------------------------------- Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful. --------------------------------------------- https://isc.sans.edu/diary/rss/27244 ∗∗∗ New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks ∗∗∗ --------------------------------------------- New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operators 5G network. AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were [...] --------------------------------------------- https://thehackernews.com/2021/03/new-5g-flaw-exposes-priority-networks.html ∗∗∗ Perkiler malware turns to SMB brute force to spread ∗∗∗ --------------------------------------------- Perkiler is now using SMB brute force attacks to spread. Which is not a new concept, but why attack SMB instead of RDP? --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb… ∗∗∗ Dumping LSASS in memory undetected using MirrorDump ∗∗∗ --------------------------------------------- As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undet… ∗∗∗ 20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub ∗∗∗ --------------------------------------------- Container images are a simple way to distribute software - including malicious cryptojacking images attackers use to distribute cryptominers. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/ ∗∗∗ Exchange Server attacks: Microsoft shares intelligence on post-compromise activities ∗∗∗ --------------------------------------------- If youre cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft. --------------------------------------------- https://www.zdnet.com/article/exchange-server-attacks-microsoft-shares-inte… ∗∗∗ Aktuelle Information zu den ProxyLogon Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 254 Exchange Server nach wie vor ungepatcht (Stand: 2021-03-26). Am 18. März waren es noch 839. Von 23. März bis 26.März wurden insgesamt 437 Webshells in Österreich gefunden. Die Patch-Rate hat etwas abgenommen. Wir sehen die übliche exponentielle Abnahme der verwundbaren Systeme. Allerdings dürfte die ab 18. März durch Microsoft Defender automatisch durchgeführte Mitigation ihren Zweck erfüllt haben. --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-proxylogon-excha… ∗∗∗ PsExec Privilege Escalation in Windows Fixed ∗∗∗ --------------------------------------------- A component of Microsofts Sysinternals utility was found in January 2021 to be vulnerable to privilege escalation. According to the release notes from Microsoft: "This update to PsExec mitigates named pipe squatting attacks that can be leveraged by an attacker to intercept credentials or elevate to System privilege. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e97cd1b85394822631fcc1589f7… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft releases Windows 10 SSU to fix security update issue ∗∗∗ --------------------------------------------- Microsoft has released the Windows 10 1909 KB5000850 cumulative update preview and a new KB5001205 Servicing Stack Update that resolves a Secure Boot vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-… ∗∗∗ Another Critical RCE Flaw Discovered in SolarWinds Orion Platform ∗∗∗ --------------------------------------------- IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE). Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via [...] --------------------------------------------- https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html ∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗ --------------------------------------------- On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Sicherheitsupdates: Angreifer könnten Samba-LDAP-Server crashen ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Samba gefährden Systeme. Abgesicherte Versionen stehen zum Download bereit. --------------------------------------------- https://heise.de/-5999401 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0). --------------------------------------------- https://lwn.net/Articles/850703/ ∗∗∗ Synology-SA-21:13 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_13 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210324-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-1971, CVE-2020-8265, CVE-2020-8287 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM License Metric Tool v9 (CVE-2020-14782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Intel Ethernet Controller vulnerabilities CVE-2020-24497, CVE-2020-24498, CVE-2020-24500, CVE-2020-24501, and CVE-2020-24505 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K85738358 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2021
by Daily end-of-shift report 25 Mar '21

25 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-03-2021 18:00 − Donnerstag 25-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco fixt Remote-Lücken in Jabber-Clients für Windows, macOS & mobile Systeme ∗∗∗ --------------------------------------------- Ein Update schließt teils als kritisch eingestufte Einfallstore in Ciscos Jabber-Client für Win, macOS, Android & iOS. Auch weitere Produkte erhielten Updates. --------------------------------------------- https://heise.de/-5997987 ∗∗∗ IETF erklärt TLS-Urväter 1.0 und 1.1 als veraltet ∗∗∗ --------------------------------------------- Schwache Kryptografie und reichlich Sicherheitslücken haben zum Ende von TLS 1.0 und 1.1 geführt. --------------------------------------------- https://heise.de/-5997963 ∗∗∗ Fleeceware lockt in Abofallen ∗∗∗ --------------------------------------------- Forscher von Avast haben Hunderte von Fleeceware-Mobilfunk-Apps auf Google Play und im Apple App Store entdeckt, mit denen ihre Entwickler Millionen von Dollar verdienen. --------------------------------------------- https://www.zdnet.de/88394043/fleeceware-lockt-in-abofallen/ ∗∗∗ QNAP warns of ongoing brute-force attacks against NAS devices ∗∗∗ --------------------------------------------- QNAP warns customers of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urges them to immediately take action to mitigate them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ongoing-brute-… ∗∗∗ Threat landscape for industrial automation systems. Statistics for H2 2020 ∗∗∗ --------------------------------------------- We continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-s… ∗∗∗ Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis ∗∗∗ --------------------------------------------- On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]. We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already [...] --------------------------------------------- https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855… ∗∗∗ From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts) ∗∗∗ --------------------------------------------- Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-creati… ∗∗∗ Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild ∗∗∗ --------------------------------------------- On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s "Legacy" Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-th… ∗∗∗ Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system. --------------------------------------------- https://www.securityweek.com/mamba-ransomware-leverages-diskcryptor-encrypt… ∗∗∗ Webshells Observed in Post-Compromised Exchange Servers ∗∗∗ --------------------------------------------- CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observe… ===================== = Vulnerabilities = ===================== ∗∗∗ Kryptobibliothek: OpenSSL-Lücke in Zertifikatschecks ∗∗∗ --------------------------------------------- Ein Fehler von OpenSSL bei der Zertifikatsvalidierung betrifft nur wenige Anwendungen, ein weiterer Bug lässt Server abstürzen. --------------------------------------------- https://www.golem.de/news/kryptobibliothek-openssl-luecke-in-zertifikatsche… ∗∗∗ SAP® Privilege Escalation durch ABAP Code Injection in SAP® Business Warehouse ∗∗∗ --------------------------------------------- Dieser Blogpost soll einen Überblick über eine kritische ABAP Code Injection-Schwachstelle innerhalb des Funktionsbausteins RSDMD_BATCH_CALL im SAP® Business Warehouse geben und dessen Auswirkungen verdeutlichen. --------------------------------------------- https://sec-consult.com/de/blog/detail/privilege-escalation-abap-code-injec… ∗∗∗ Two Vulnerabilities Patched in Facebook for WordPress Plugin ∗∗∗ --------------------------------------------- On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-faceb… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/850498/ ∗∗∗ Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91610944?utm_source=f5support&utm_mediu… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0308 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities (CVE-2020-28851 and CVE-2020-28852) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-3114 and CVE-2021-3115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager (Oct 2020 and Jan 2021 CPUs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 – Log4j Deserialization Remote Code Execution (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufactu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2021
by Daily end-of-shift report 24 Mar '21

24 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-03-2021 18:00 − Mittwoch 24-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft warns of phishing attacks bypassing email gateways ∗∗∗ --------------------------------------------- An ongoing phishing operation that stole an estimated 400,000 OWA and Office 365 credentials since December has now expanded to abuse new legitimate services to bypass secure email gateways (SEGs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers ∗∗∗ --------------------------------------------- Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities. --------------------------------------------- https://thehackernews.com/2021/03/purple-fox-rootkit-can-now-spread.html ∗∗∗ Zahlreiche negative Bewertungen zu fashionmanufaktur.at ∗∗∗ --------------------------------------------- Seit Monaten häufen sich negative Erfahrungen und Bewertungen zahlreicher KonsumentInnen zum Online-Shop fashionmanufaktur.at. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-negative-bewertungen-zu-f… ∗∗∗ Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech ∗∗∗ --------------------------------------------- We describe trends in COVID-19 themed phishing attacks since the start of the pandemic to gain insight into the topics that attackers try to exploit. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-phishing-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-354: (0Day) Lepide Active Directory Self Service Backup Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Lepide Active Directory Self Service. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-354/ ∗∗∗ Cisco Security Advisories 2021-03-24 ∗∗∗ --------------------------------------------- 1 Critical, 18 High, 19 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4,[...] --------------------------------------------- https://lwn.net/Articles/850352/ ∗∗∗ SaltStack revises partial patch for command injection, privilege escalation vulnerability ∗∗∗ --------------------------------------------- The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure. --------------------------------------------- https://www.zdnet.com/article/saltstack-revises-partial-patch-for-command-i… ∗∗∗ Uncontrolled Search Path Element in Multiple Bosch Products ∗∗∗ --------------------------------------------- BOSCH-SA-835563-BT: Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as "DLL Hijacking" or "DLL Preloading"). --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-835563-bt.html ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storage System where an attacker could cause a denial of service (CVE-2020-5015) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -[All] jQuery (Publicly disclosed vulnerability) – 180875 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2020-14803, CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM® SDK, Java™ Technology Edition shipped with IBM Tivoli Netcool Impact (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0522 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37283878 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0523 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31445234 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0524 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83504933 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0525 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44482551 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0306 ∗∗∗ Pro-FTPd: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0304 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2021
by Daily end-of-shift report 23 Mar '21

23 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-03-2021 18:00 − Dienstag 23-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Popular Remote Lesson Monitoring Program Might be Exploited by Attackers ∗∗∗ --------------------------------------------- Netop is a software specialized in providing visibility over student activities, that lets teachers see what their students see, in this way the teachers can also share their screen, lock student screens and keyboards and block websites with the click of a button. The software designed and advertised for helping teachers keep control of lessons [...] --------------------------------------------- https://heimdalsecurity.com/blog/lesson-monitoring-program-exploited/ ∗∗∗ Secure containerized environments with updated threat matrix for Kubernetes ∗∗∗ --------------------------------------------- The updated threat matrix for Kubernetes adds new techniques found by Microsoft researchers, as well as techniques that were suggested by the community. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-env… ∗∗∗ Nim Strings, (Mon, Mar 22nd) ∗∗∗ --------------------------------------------- On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language. --------------------------------------------- https://isc.sans.edu/diary/rss/27230 ∗∗∗ Intel-Prozessoren: Zwei undokumentierte Befehle für Microcode enttarnt ∗∗∗ --------------------------------------------- Sicherheitsexperten entdecken Befehle, mit denen sich das Verhalten von Intel-Prozessoren ändern lässt - bisher jedoch nur in einem speziellen Debugging-Modus. --------------------------------------------- https://heise.de/-5994965 ∗∗∗ Erpressung per E-Mail: Kriminelle fordern Bitcoins ∗∗∗ --------------------------------------------- Momentan werden vermehrt betrügerische Erpressungsmails versendet. Kriminelle behaupten darin, sie hätten Ihre Geräte gehackt und könnten nun alles was Sie tun, live beobachten. Angeblich hätten sie Beweise, dass Sie regelmäßig auf Porno-Seiten surfen. Sogar ein Video, das Sie beim Masturbieren zeigt, sollte existieren. Damit dieses von den Kriminellen nicht veröffentlicht wird, fordern sie die Überweisung von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-for… ∗∗∗ Ransomware gangs have found another set of new targets: Schools and universities ∗∗∗ --------------------------------------------- National Cyber Security Centre issues advice on how to protect networks from cyber criminals after a spike in ransomware attacks causing disruption across the education sector over the last month --------------------------------------------- https://www.zdnet.com/article/ransomware-attacks-against-schools-are-rocket… ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Versionen: Firefox 87, Firefox ESR und Thunderbird 78.9 mit Security-Fixes ∗∗∗ --------------------------------------------- Updates für Firefox, Firefox ESR und den E-Mail-Client Thunderbird umfassen neben funktionalen Neuerungen auch Fixes für Schwachstellen. --------------------------------------------- https://heise.de/-5996236 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, libmediainfo, and mariadb-10.1), Fedora (dotnet5.0, moodle, and radare2), Mageia (kernel and kernel-linus), Oracle (python27:2.7, python36:3.6, and python38:3.8), Red Hat (pki-core:10.6), and Ubuntu (privoxy). --------------------------------------------- https://lwn.net/Articles/850188/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0002.html ∗∗∗ Synology-SA-21:12 Synology Calendar ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_12 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-082-01 ∗∗∗ GE MU320E ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, Execution with Unnecessary Privileges, and Inadequate Encryption Strength vulnerabilities in GE MU320E firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02 ∗∗∗ GE Reason DR60 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Hard-coded Password, Code Injection, and Execution with Unnecessary Privileges vulnerabilities in GE Reason DR60 digital fault recorder products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-03 ∗∗∗ Ovarro TBox ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-054-04P Ovarro TBox that posted to the HSIN ICS library on February 23, 2021 This advisory contains mitigations for Code Injection, Incorrect Permission Assignment for Critical Resource, Uncontrolled Resource Consumption, Insufficiently Protected Credentials, and Use of Hard-coded Cryptographic Key vulnerabilities in Ovarro TBox remote terminal units (RTUs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-04 ∗∗∗ Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Lift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lift/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0299 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2021
by Daily end-of-shift report 22 Mar '21

22 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-03-2021 18:00 − Montag 22-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DDoS booters now abuse DTLS servers to amplify attacks ∗∗∗ --------------------------------------------- DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-… ∗∗∗ Microsoft Exchange servers now targeted by BlackKingdom ransomware ∗∗∗ --------------------------------------------- Another ransomware operation known as BlackKingdom is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-n… ∗∗∗ Office 365 Phishing Attack Targets Financial Execs ∗∗∗ --------------------------------------------- Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. --------------------------------------------- https://threatpost.com/office-365-phishing-attack-financial-execs/164925/ ∗∗∗ Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online ∗∗∗ --------------------------------------------- Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online [...] --------------------------------------------- https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html ∗∗∗ Multi-factor Authentication. Reset MFA you say? ∗∗∗ --------------------------------------------- MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2SV... Anyway, when we’re red teaming, MFA [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/multi-factor-authentication-r… ∗∗∗ Auf Willhaben inseriert? Vorsicht vor mob-willhaben.at SMS! ∗∗∗ --------------------------------------------- Zahlreiche Willhaben-UserInnen wenden sich derzeit an die Watchlist Internet, weil sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Das Gemeine an der Sache: Die Personen bieten gerade tatsächlich Waren auf Willhaben an. In der SMS wird meist behauptet, jemand habe für die Ware bezahlt. Ein enhaltener Link führt auf eine gefälschte Willhaben-Seite, die Daten abgreifen und einen Trojaner installieren möchte. --------------------------------------------- https://www.watchlist-internet.at/news/auf-willhaben-inseriert-vorsicht-vor… ∗∗∗ Metamorfo/Mekotio Banking Trojan Uses AutoHotKey Scripting ∗∗∗ --------------------------------------------- The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe. This trojan is one that makes use of a little known scripting language known as AutoHotKey (AHK). --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/6e934f1121d09aff346710499c0… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-342: Samsung Galaxy S20 libimagecodec Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Samsung Galaxy S20. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-342/ ∗∗∗ Apache OFBiz: Update beseitigt Remote-Lücke aus Open-Source-ERP-Software ∗∗∗ --------------------------------------------- Die quelloffene Enterprise Resource Planning-Software OFBiz war aus der Ferne angreifbar. Eine abgesicherte Version und ein Patch stehen bereit. --------------------------------------------- https://heise.de/-5994429 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and [...] --------------------------------------------- https://lwn.net/Articles/850068/ ∗∗∗ Adobe Patches Critical ColdFusion Security Flaw ∗∗∗ --------------------------------------------- Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the platform used for building and deploying mobile and web apps. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-coldfusion-security-flaw ∗∗∗ TMM vulnerability CVE-2021-23007 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37451543 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0297 ∗∗∗ UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12737530/ ∗∗∗ Security updates available in Foxit Reader 10.1.3, Foxit PhantomPDF 10.1.3 and 3D Plugin Beta 10.1.3.37598 ∗∗∗ --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.html ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Websphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts framework affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2021
by Daily end-of-shift report 19 Mar '21

19 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-03-2021 18:00 − Freitag 19-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Defender Antivirus behebt Sicherheitslücken in Exchange Server ∗∗∗ --------------------------------------------- Microsoft hat ein automatisches Entschärfungstool in Defender Antivirus implementiert, um kritische Sicherheitslücken in Exchange Server zu schließen, denn auch nach Wochen sind immer noch zehntausende Server ungepatcht. --------------------------------------------- https://www.zdnet.de/88393956/microsoft-defender-antivirus-behebt-sicherhei… ∗∗∗ New CopperStealer malware steals Google, Apple, Facebook accounts ∗∗∗ --------------------------------------------- Previously undocumented account-stealing malware distributed via fake software crack sites targets the users of major service providers, including Google, Facebook, Amazon, and Apple. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-copperstealer-malware-st… ∗∗∗ REvil ransomware has a new ‘Windows Safe Mode’ encryption mode ∗∗∗ --------------------------------------------- The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-w… ∗∗∗ Sicherheitslücken: Hackergruppe nutzte 11 Zero Days in einem Jahr ∗∗∗ --------------------------------------------- Googles Project Zero berichtet über eine Hacker-Gruppe, die reihenweise Zero Days nutzte, um komplett gepatchte Geräte ihrer Opfer zu hacken. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hackergruppe-nutzte-11-zero-da… ∗∗∗ Easy SMS Hijacking ∗∗∗ --------------------------------------------- Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money - in this case, $16 off an anonymous prepaid credit card - and a few lies, you can forward the text messages from any phone to any other phone. --------------------------------------------- https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html ∗∗∗ Vorsicht bei der Urlaubsbuchung: Unseriöse Webseiten verlocken mit günstigen Angeboten ∗∗∗ --------------------------------------------- Lust auf die Malediven? Vielleicht auch auf Phuket? Oder wollen Sie aufgrund der anhaltenden Corona-Krise doch lieber Urlaub zuhause machen: In Wien? Oder im Tiroler Mayrhofen? Unterkünfte in diesen Reisezielen werden derzeit von unseriösen Buchungsplattformen angeboten. Wir zeigen Ihnen, auf welchen Webseiten Sie lieber nicht buchen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-unse… ∗∗∗ Beware Android trojan posing as Clubhouse app ∗∗∗ --------------------------------------------- The malware can grab login credentials for more than 450 apps and bypass SMS-based two-factor authentication --------------------------------------------- https://www.welivesecurity.com/2021/03/18/beware-android-trojan-posing-club… ∗∗∗ AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool ∗∗∗ --------------------------------------------- This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-077a ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Schwachstellen in SOYAL Biometric Access Control System 5.0 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen im Produkt Biometric Access Control System des Herstellers SOYAL gefunden. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Mehrere Schwachstellen in KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen in Wi-Fi/VoIP CPEs der Hersteller KZ Broadband Technologies, Jaton und Neotel gefunden, darunter auch eine RCE --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and pki-core), Debian (shibboleth-sp, shibboleth-sp2, and squid3), openSUSE (libmysofa and privoxy), Oracle (bind), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/849847/ ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Information Exposure vulnerability in Exacq Technologies exacqVision web service. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-01 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Hitachi ABB Power Grids eSOMS software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-02 ∗∗∗ Hitachi ABB Power Grids eSOMS Telerik ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, and Insufficiently Protected Credentials vulnerabilities in some Hitachi ABB Power Grids eSOMS products using Telerik software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03 ∗∗∗ Rockwell Automation Logix Controllers (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that was published February 25, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 ∗∗∗ Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37607293/ ∗∗∗ March 17, 2021 TNS-2021-04 [R1] Nessus Agent 8.2.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-04-0 ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security vulnerable to a stack-based buffer overflow (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2021
by Daily end-of-shift report 18 Mar '21

18 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-03-2021 18:00 − Donnerstag 18-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions ∗∗∗ --------------------------------------------- Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals. --------------------------------------------- https://www.shadowserver.org/news/uk-foreign-commonwealth-development-offic… ∗∗∗ SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests ∗∗∗ --------------------------------------------- Existing victim networks are used to test out payloads as a novel form of sandbox. --------------------------------------------- https://www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-ab… ∗∗∗ TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/ttp-table-detecti… ∗∗∗ ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet ∗∗∗ --------------------------------------------- DDoS-for-hire services adopt new technique that amplifies attacks 37 fold. --------------------------------------------- https://arstechnica.com/?p=1750512 ∗∗∗ New XcodeSpy malware targets iOS devs in supply-chain attack ∗∗∗ --------------------------------------------- A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developers computer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets… ∗∗∗ Convuster: macOS adware now in Rust ∗∗∗ --------------------------------------------- Convuster adware for macOS is written in Rust and able to use Gatekeeper to evade analysis. --------------------------------------------- https://securelist.com/convuster-macos-adware-in-rust/101258/ ∗∗∗ Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux ∗∗∗ --------------------------------------------- Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon system has detected that Necro has started spreading again, [...] --------------------------------------------- https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-d… ∗∗∗ Server Side Data Exfiltration via Telegram API ∗∗∗ --------------------------------------------- One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration. What’s more, attackers may be able to accomplish this feat with a few mere lines of code. --------------------------------------------- https://blog.sucuri.net/2021/03/server-side-data-exfiltration-via-telegram-… ∗∗∗ Simple Python Keylogger ∗∗∗ --------------------------------------------- A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if its a juicy one or not. --------------------------------------------- https://isc.sans.edu/diary/rss/27216 ∗∗∗ Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability ∗∗∗ --------------------------------------------- On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, [...] --------------------------------------------- https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-v… ∗∗∗ NimzaLoader Malware ∗∗∗ --------------------------------------------- NimzaLoader is a new initial access malware that is relatively unique in its usage of the Nim programming language. Proofpoint observed this malware being distributed in a TA800 email campaign in place of BazaLoader --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/0a3e6c8474f098e6b497c889ebd… ===================== = Vulnerabilities = ===================== ∗∗∗ SYSS-2020-044: Sicherheitsproblem in Screen Sharing-Funktionalität von Zoom (CVE-2021-28133) ∗∗∗ --------------------------------------------- SySS Proof of Concept Video demonstriert ein Sicherheitsproblem in der Screen Sharing-Funktion der Videokonferenzsoftware Zoom. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen… ∗∗∗ Tutor LMS for WordPress Open to Info-Stealing Security Holes ∗∗∗ --------------------------------------------- The popular learning-management system for teacher-student communication is rife with SQL-injection vulnerabilities. --------------------------------------------- https://threatpost.com/tutor-lms-wordpress-security-holes/164868/ ∗∗∗ Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites ∗∗∗ --------------------------------------------- A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an [...] --------------------------------------------- https://thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html ∗∗∗ ZDI-21-337: Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-337/ ∗∗∗ ZDI-21-341: (0Day) (Pwn2Own) Sony X800H Smart TV Vewd Type-Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sony X800H Smart TV. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-341/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (velocity-tools), Fedora (switchboard-plug-bluetooth), Mageia (discover, flatpak, and xmlgraphics-commons), openSUSE (chromium and python), Oracle (kernel, kernel-container, and pki-core), Red Hat (openvswitch2.11 and ovn2.11, python-django, qemu-kvm-rhev, and rubygem-em-http-request), and SUSE (crmsh, openssl1, and php53). --------------------------------------------- https://lwn.net/Articles/849737/ ∗∗∗ Xen: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0289 ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0287 ∗∗∗ Security Bulletin: z/TPF is affected by OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-open… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Security Guardium External S-TAP is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ext… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: March 2021 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-multiple-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Resilient vulnerable to username enumeration (CVE-2020-4635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-vulnerable-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2021
by Daily end-of-shift report 17 Mar '21

17 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-03-2021 18:00 − Mittwoch 17-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mimecast says SolarWinds hackers breached its network and spied on customers ∗∗∗ --------------------------------------------- Mimecast-issued certificate used to connect to customers’ Microsoft 365 tenants. --------------------------------------------- https://arstechnica.com/?p=1750098 ∗∗∗ Twitter images can be abused to hide ZIP, MP3 files — heres how ∗∗∗ --------------------------------------------- Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twitter-images-can-be-abused… ∗∗∗ Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/16/guidance-for-responders-inve… ∗∗∗ Microsoft Exchange Server: These quarterly updates include fixes for security flaws ∗∗∗ --------------------------------------------- Microsoft releases Exchange Server 2016 and 2019 cumulative updates that address critical flaws. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-server-these-quarterly-upd… ∗∗∗ New ICS Threat Activity Group: VANADINITE ∗∗∗ --------------------------------------------- The new VANADINITE activity group targets electric utilities, oil and gas, manufacturing, telecommunications, and transportation. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-van… ∗∗∗ So hacken Kriminelle unbemerkt Ihre Website, um Fake-Shops zu betreiben ∗∗∗ --------------------------------------------- Sicherheitslücken auf Websites von Unternehmen und Vereinen werden auch genutzt, um Fake-Shops zu platzieren. Mittels Cloaking leiten Kriminelle die BesucherInnen zu Fake-Shops um. Die betroffenen Unternehmen und Vereine wissen nichts davon. Wir erklären Ihnen, wie Cloaking funktioniert und was Sie dagegen machen können. --------------------------------------------- https://www.watchlist-internet.at/news/so-hacken-kriminelle-unbemerkt-ihre-… ∗∗∗ New Mirai Variant Targeting Network Security Devices ∗∗∗ --------------------------------------------- We discovered ongoing attacks leveraging IoT vulnerabilities, including in network security devices, to serve a Mirai variant. --------------------------------------------- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ ∗∗∗ NIS2 Proposal: First feedback on the normative text ∗∗∗ --------------------------------------------- After looking at the recitals a few weeks ago, here is my feedback on the normative text of the NIS2 proposal. --------------------------------------------- https://cert.at/en/blog/2021/3/nis2-proposal-first-feedback-on-the-normativ… ∗∗∗ CISA-FBI Joint Advisory on TrickBot Malware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/cisa-fbi-joint-ad… ∗∗∗ CVE-2021-27076: A Replay-Style Deserialization Attack Against SharePoint ∗∗∗ --------------------------------------------- An attacker is frequently in the position of having to find a technique to evade some data integrity measure implemented by a target. --------------------------------------------- https://www.thezdi.com/blog/2021/3/17/cve-2021-27076-a-replay-style-deseria… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher adds their package to Microsoft Azure SDK releases list ∗∗∗ --------------------------------------------- A security researcher was able to add their own test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-adds-their-packag… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (shadow, tor, and velocity), Fedora (gsoap, qt5-qtsvg, and switchboard-plug-bluetooth), Mageia (batik, chromium-browser-stable, glibc, ksh, and microcode), openSUSE (389-ds, connman, freeradius-server, froxlor, openssl-1_0_0, openssl-1_1, postgresql12, and python-markdown2), Red Hat (bind, curl, kernel, nss and nss-softokn, perl, python, and tomcat), Scientific Linux (ipa, kernel, and pki-core), SUSE (glib2 and velocity), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/849622/ ∗∗∗ WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN08191557/ ∗∗∗ Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by multiple vulnerabilities in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition for Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Rational Application Developer is vulnerable to CVE-2020-2773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-application-deve… ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by a vulnerability (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update February 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-13434, CVE-2020-13435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilties have been fixed in the IBM Security Access Manager and IBM Security Verify Access appliances. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2021
by Daily end-of-shift report 16 Mar '21

16 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-03-2021 18:30 − Dienstag 16-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FBI warns of escalating Pysa ransomware attacks on education orgs ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa… ∗∗∗ One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 ∗∗∗ --------------------------------------------- We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/15/one-click-microsoft-exchange… ∗∗∗ Videokonferenzen: Damit Vertrauliches vertraulich bleibt ∗∗∗ --------------------------------------------- Durch die Corona-Pandemie hat die Nutzung von Videokonferenzlösungen in Verwaltung und Wirtschaft erheblich zugenommen. Die Systeme dienen dabei nicht nur der Kommunikation, sondern auch dem gemeinsamen Erstellen und Bearbeiten von Dokumenten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Eine Rasterbrille auf ayurreadpro.com kaufen? – Wir raten davon ab! ∗∗∗ --------------------------------------------- Wer online nach Möglichkeiten zur Verbesserung der Sehkraft oder Methoden zum Augentraining sucht, stoßt höchstwahrscheinlich auf Rasterbrillen. Rasterbrillen sind schwarze Kunststoffbrillen mit Lochmuster in den „Gläsern“, die angeblich Sehschwächen vorbeugen und verbessern. Für die Wirksamkeit der knapp 60 Euro-Brille gibt es jedoch keine wissenschaftlich bestätigten Studien. Im Extremfall könnten sogar ernstzunehmende Schäden [...] --------------------------------------------- https://www.watchlist-internet.at/news/eine-rasterbrille-auf-ayurreadprocom… ∗∗∗ Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th) ∗∗∗ --------------------------------------------- Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants. --------------------------------------------- https://isc.sans.edu/diary/rss/27204 ∗∗∗ Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks ∗∗∗ --------------------------------------------- A new research has yielded yet another means to pilfer sensitive data by exploiting whats the first "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this [...] --------------------------------------------- https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html ∗∗∗ Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution ∗∗∗ --------------------------------------------- We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. --------------------------------------------- https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonit… ∗∗∗ Hackers are targeting telecoms companies to steal 5G secrets ∗∗∗ --------------------------------------------- Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world. --------------------------------------------- https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-s… ∗∗∗ Exploring my doorbell ∗∗∗ --------------------------------------------- Ive talked about my doorbell before, but started looking at it again this week because sometimes it simply doesnt send notifications to my Home Assistant setup - the push notifications appear on my phone, but the doorbell simply doesnt trigger the HTTP callback its meant to[1]. This is obviously suboptimal, but its also tricky to debug a device when you have no access to it. --------------------------------------------- https://mjg59.dreamwidth.org/56345.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/849501/ ∗∗∗ This years-old Microsoft Office vulnerability is still popular with hackers, so patch now ∗∗∗ --------------------------------------------- Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware. --------------------------------------------- https://www.zdnet.com/article/this-years-old-microsoft-office-vulnerability… ∗∗∗ Aktuelle Zahlen zu den Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 1074 Exchange Server nach wie vor ungepatched (Stand: 2021-03-16). Nach den ersten aktiven Scans zwischen dem 9. und 12. März waren es noch 2236. Bisher wurden 465 Webshells von Shadowserver und Kryptos Logic in Österreich gefunden. Die initiale Patch-Disziplin war anscheinend hoch. Wenn möglich, Microsofts Script unter https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-pr… zum Finden und Mitigieren von Webshells [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwach… ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-01 ∗∗∗ GE UR family ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in GE UR family of protection and control relays. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02 ∗∗∗ Hitachi ABB Power Grids AFS Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Infinite Loop vulnerability in Hitachi ABB Power Grids AFS Series products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-03 ∗∗∗ BD Alaris 8015 PC Unit (Update B) ∗∗∗ --------------------------------------------- [...] This advisory contains compensating controls to reduce the risk of exploitation of insufficiently protected credentials and security features vulnerabilities in BD Alaris 8015 Point of Care units, which provide a common user interface for programming [...] --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02 ∗∗∗ DP API encryption ineffective in Windows containers: Publicly Available Cryptographic Keys (CVE-2021-1645) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in the DP API key management of Windows containers. This vulnerability was assigned CVE-2021-1645 by Microsoft [1] and allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. This vulnerability was discovered in close cooperation with SignPath [2]. --------------------------------------------- https://certitude.consulting/blog/en/windows-docker-dp-api-vulnerability-cv… ∗∗∗ Apache Tomcat vulnerability CVE-2021-25329 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73648110 ∗∗∗ Apache Tomcat vulnerability CVE-2021-25122 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00174195 ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0276 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0275 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into log files (CVE-2020-4851) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2021
by Daily end-of-shift report 15 Mar '21

15 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-03-2021 18:30 − Montag 15-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Protecting on-premises Exchange Servers against recent attacks ∗∗∗ --------------------------------------------- While Microsoft has regular methods for providing tools to update software, this extraordinary situation calls for a heightened approach. In addition to our regular software updates, we are also providing specific updates for older and out-of-support software with the intent to make it as easy as possible to quickly protect your business. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-e… ∗∗∗ Update verfügbar! ∗∗∗ --------------------------------------------- Zum internationalen Weltverbrauchertag gibt das BSI Informationen und Hinweise zur einfachen und automatischen Installation von Software-Aktualisierungen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Research: Security Agencies Expose Information via Improperly Sanitized PDFs ∗∗∗ --------------------------------------------- Most security agencies fail to properly sanitize Portable Document Format (PDF) files before publishing them, thus exposing potentially sensitive information and opening the door for attacks, researchers have discovered. read more --------------------------------------------- https://www.securityweek.com/research-security-agencies-expose-information-… ===================== = Vulnerabilities = ===================== ∗∗∗ Three Flaws in the Linux Kernel Since 2006 Could Grant Root Privileges ∗∗∗ --------------------------------------------- "Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or youve compromised some service that doesnt have repaired permissions, you can do whatever you want basically," said Adam Nichols, [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/d0iuqi9zTtI/three-flaws-in-… ∗∗∗ Sicherheitsupdate: Angreifer nehmen erneut Google Chrome ins Visier ∗∗∗ --------------------------------------------- Die Chrome-Entwickler haben im Webbrowser fünf Sicherheitslücken geschlossen. Eine Schwachstellen sollen Angreifer derzeit ausnutzen. --------------------------------------------- https://heise.de/-5987831 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ca-certificates, flatpak, golang-1.7, golang-1.8, mupdf, pygments, and tiff), Fedora (containerd, golang-github-containerd-cri, mingw-gdk-pixbuf, mingw-glib2, mingw-jasper, mingw-python-jinja2, mingw-python-pillow, mingw-python3, python-django, python-pillow, and python2-pillow), Mageia (git, mediainfo, netty, python-django, and quartz), openSUSE (crmsh, git, glib2, kernel-firmware, openldap2, stunnel, and wpa_supplicant), Oracle (qemu), Red Hat [...] --------------------------------------------- https://lwn.net/Articles/849406/ ∗∗∗ GnuTLS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0273 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Streams Flows might be affected by some underlying Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-flows-might-be-af… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's API Manager is vulnerable to invitation and registration link tampering (CVE-2021-20440) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-api-mana… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4448) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by remote code execution (CVE-2020-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2021
by Daily end-of-shift report 12 Mar '21

12 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-03-2021 18:30 − Freitag 12-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sie warten auf ein Paket? Vorsicht vor dieser betrügerischen E-Mail! ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Sie durch falsche Behauptungen in eine Abo-Falle zu locken oder an Ihre Daten zu kommen. Derzeit melden uns LeserInnen betrügerische E-Mails, in denen behauptet wird, dass ein Paket nicht zugestellt werden kann, da die Adresse fehle. Doch Vorsicht: Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/sie-warten-auf-ein-paket-vorsicht-vo… ∗∗∗ Zusatzkosten & lange Lieferzeiten? So vermeiden Sie Probleme bei Online-Shops außerhalb der EU! ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Das gilt insbesondere für Shops, die entweder Ihren Sitz außerhalb der EU haben oder von außerhalb der EU liefern lassen. Wir zeigen Ihnen, auf was Sie achten müssen, damit Sie keine bösen Überraschungen beim Online-Shopping im Ausland erleben! --------------------------------------------- https://www.watchlist-internet.at/news/zusatzkosten-lange-lieferzeiten-so-v… ∗∗∗ New DEARCRY Ransomware is targeting Microsoft Exchange Servers ∗∗∗ --------------------------------------------- A new ransomware called DEARCRY is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-ta… ∗∗∗ What Are BEC Attacks? ∗∗∗ --------------------------------------------- Otherwise known as BEC, Business e-mail compromise happens when an attacker hacks into a corporate e-mail account and impersonates the real owner with the sole purpose to defraud the company, its customers, partners and/or employees into sending money or sensitive data to the attacker’s account. Also known as the “man-in-the-email” attack, BEC scams start with [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-are-bec-attacks/ ∗∗∗ New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims ∗∗∗ --------------------------------------------- In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came across a botnet uses honeypot to harvest other infected devices, which is quite interesting. --------------------------------------------- https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/ ∗∗∗ A Spectre proof-of-concept for a Spectre-proof web ∗∗∗ --------------------------------------------- Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still [...] --------------------------------------------- https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spec… ∗∗∗ Mac Malware XCSSET Adapted for Devices With M1 Chips ∗∗∗ --------------------------------------------- An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip. --------------------------------------------- https://www.securityweek.com/mac-malware-xcsset-adapted-devices-m1-chips ∗∗∗ New Browser Attack Allows Tracking Users Online With JavaScript Disabled ∗∗∗ --------------------------------------------- [...] the latest research released this week aims to bypass such browser-based mitigations by implementing a side-channel attack called "CSS Prime+Probe" constructed solely using HTML and CSS, allowing the attack to work even in hardened browsers like Tor, Chrome Zero, and DeterFox that have JavaScript fully disabled or limit the resolution of the timer API. --------------------------------------------- https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144) ∗∗∗ --------------------------------------------- The D-Link DIR-3060 (running firmware versions below v1.11b04) is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to a DIR-3060 would be able to run arbitrary system commands on the device as the system "admin" user, with root privileges. D-Link has released a patched firmware version v1.11b04 Hotfix 2 to address this issue. Affected users are advised to apply the patch. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/849208/ ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in Schneider Electric IGSS SCADA software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0266 ∗∗∗ NetBSD Foundation NetBSD OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0270 ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-8277 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-26116 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2021
by Daily end-of-shift report 11 Mar '21

11 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-03-2021 18:30 − Donnerstag 11-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Der Hafnium Exchange-Server-Hack: Anatomie einer Katastrophe ∗∗∗ --------------------------------------------- Hätte Microsoft den Massenhack von Exchange-Servern mit rascheren Reaktionen verhindern verhindern können? Der Ablauf der Ereignisse wirft Fragen auf. --------------------------------------------- https://heise.de/-5077269 ∗∗∗ NAT-Slipstreaming-Angriffe: Es kommt noch schlimmer ∗∗∗ --------------------------------------------- Zeit zu handeln: Mit dem NAT-Slipstreaming 2.0 können Kriminelle nicht nur das Gerät des Opfers, sondern jede IP-Adresse im Netzwerk angreifen. --------------------------------------------- https://heise.de/-5078104 ∗∗∗ Exchange-Lücken: Jetzt kommt die Cybercrime-Welle mit Erpressung ∗∗∗ --------------------------------------------- Ein öffentlicher Exploit für die Sicherheitslücken in Microsoft Exchange bedeutet, dass die ersten Erpressungsfälle vor der Tür stehen. --------------------------------------------- https://heise.de/-5078180 ∗∗∗ F5 Announces Critical BIG-IP pre-auth RCE bug ∗∗∗ --------------------------------------------- F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook). The patch refers to the four critical vulnerabilities listed below and also includes a pre-auth RCE security flaw (CVE-2021-22986) that allows unauthenticated [...] --------------------------------------------- https://heimdalsecurity.com/blog/f5-announces-critical-bug/ ∗∗∗ FIN8 Resurfaces with Revamped Backdoor Malware ∗∗∗ --------------------------------------------- The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems. --------------------------------------------- https://threatpost.com/fin8-resurfaces-backdoor-malware/164684/ ∗∗∗ Piktochart - Phishing with Infographics, (Thu, Mar 11th) ∗∗∗ --------------------------------------------- In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart. --------------------------------------------- https://isc.sans.edu/diary/rss/27194 ∗∗∗ Magento 2 PHP Credit Card Skimmer Saves to JPG ∗∗∗ --------------------------------------------- Bad actors often leverage creative techniques to conceal malicious behaviour and harvest sensitive information from ecommerce websites. A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file. --------------------------------------------- https://blog.sucuri.net/2021/03/magento-2-php-credit-card-skimmer-saves-to-… ∗∗∗ Home Assistant, Pwned Passwords and Security Misconceptions ∗∗∗ --------------------------------------------- Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter Ive come to love as Ive embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently:always something. --------------------------------------------- https://www.troyhunt.com/home-assistant-pwned-passwords-and-security-miscon… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant). --------------------------------------------- https://lwn.net/Articles/849088/ ∗∗∗ Security Advisory - Sudo Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210310… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0260 ∗∗∗ Linux kernel ext3/ext4 file system vulnerability CVE-2020-14314 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67830124 ∗∗∗ glibc vulnerability CVE-2019-25013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68251873 ∗∗∗ glibc vulnerability CVE-2020-29573 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27238230 ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is Affected by Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Symbolic Link Permissions Problem Modeler Subscription Installer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-symbolic-link-permissions… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by vulnerability in jackson-databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2021
by Daily end-of-shift report 10 Mar '21

10 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-03-2021 18:30 − Mittwoch 10-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht ∗∗∗ --------------------------------------------- Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht. --------------------------------------------- https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-… ∗∗∗ Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS ∗∗∗ --------------------------------------------- (Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands. --------------------------------------------- https://mjg59.dreamwidth.org/56106.html ∗∗∗ Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ∗∗∗ --------------------------------------------- Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vu… ∗∗∗ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th) ∗∗∗ --------------------------------------------- With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold? --------------------------------------------- https://isc.sans.edu/diary/rss/27188 ∗∗∗ Researchers Unveil New Linux Malware Linked to Chinese Hackers ∗∗∗ --------------------------------------------- Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog. --------------------------------------------- https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html ∗∗∗ Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks ∗∗∗ --------------------------------------------- Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code. --------------------------------------------- https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expo… ∗∗∗ Targeted HelloKitty Ransomware Attack ∗∗∗ --------------------------------------------- SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac70… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday - March 2021 ∗∗∗ --------------------------------------------- In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3e… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker ∗∗∗ --------------------------------------------- Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-5076338 ∗∗∗ Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories. --------------------------------------------- https://heise.de/-5076502 ∗∗∗ SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt ∗∗∗ --------------------------------------------- SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen. --------------------------------------------- https://heise.de/-5076543 ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf ∗∗∗ --------------------------------------------- 3MF Consortium’s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition. --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh). --------------------------------------------- https://lwn.net/Articles/848973/ ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0250 ∗∗∗ SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 and Jan 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IQ DCD vulnerability CVE-2021-22996 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16352404?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22995 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13155201?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22997 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34074377?utm_source=f5support&utm_mediu… ∗∗∗ F5 TMUI XSS vulnerability CVE-2021-22994 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K66851119?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23003 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43470422?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP ASM iControl REST vulnerability CVE-2021-23001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06440657?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55237223?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP TMM vulnerability CVE-2021-23000 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34441555?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP SNAT vulnerability CVE-2021-22998 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31934524?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-23005 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01243064?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23004 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31025212?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ XSS vulnerability CVE-2021-23006 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30585021?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP APM VPN vulnerability CVE-2021-23002 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71891773?utm_source=f5support&utm_mediu… ∗∗∗ TMM buffer-overflow vulnerability CVE-2021-22991 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56715231?utm_source=f5support&utm_mediu… ∗∗∗ TMUI authenticated remote command execution vulnerability CVE-2021-22988 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70031188?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2021-22999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_mediu… ∗∗∗ iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_mediu… ∗∗∗ glibc vulnerability CVE-2021-3326 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2021
by Daily end-of-shift report 09 Mar '21

09 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-03-2021 18:30 − Dienstag 09-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers ∗∗∗ --------------------------------------------- A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z0miner-botnet-hunts-for-unp… ∗∗∗ GitHub Fixed a Bug impacting Authenticated Sessions ∗∗∗ --------------------------------------------- Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user’s login session to the web browser of another logged-in user, [...] --------------------------------------------- https://heimdalsecurity.com/blog/github-fixes-bug/ ∗∗∗ Serious Security: Webshells explained in the aftermath of HAFNIUM attacks ∗∗∗ --------------------------------------------- Webshells explained, with some (safe) examples you can try at home if you want to learn more. --------------------------------------------- https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-expl… ∗∗∗ 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect [...] --------------------------------------------- https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html ∗∗∗ Fuzzing grub: part 1 ∗∗∗ --------------------------------------------- Recently a set of 8 vulnerabilities were disclosed for the grub bootloader. I found 2 of them (CVE-2021-20225 and CVE-2021-20233), and contributed a number of other fixes for crashing bugs which we dont believe are exploitable. I found them by applying fuzz testing to grub. Heres how. --------------------------------------------- https://sthbrx.github.io/blog/2021/03/04/fuzzing-grub-part-1/ ∗∗∗ Vorsicht vor betrügerischen Wohnungsinseraten im Facebook-Marketplace ∗∗∗ --------------------------------------------- Auch im Facebook-Marketplace werden Miet- und Eigentumswohnungen inseriert. Ist der Preis jedoch sehr günstig, sollten Sie vorsichtig sein, denn es könnte sich um Betrug handeln. Behaupten VermieterInnen, dass sie im Ausland sind und sie die Besichtigung und Übermittlung der Kaution über Airbnb abwickeln, können Sie eindeutig von Betrug ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-wohnung… ∗∗∗ Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning ∗∗∗ --------------------------------------------- We review vulnerabilities in dnsmasq, an open source DNS resolver, deep dive into DNS cache poisoning and describe effects on cloud products. --------------------------------------------- https://unit42.paloaltonetworks.com/overview-of-dnsmasq-vulnerabilities-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical Creative Cloud, Adobe Connect vulnerabilities ∗∗∗ --------------------------------------------- Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-creativ… ∗∗∗ Apple Plugs Severe WebKit Remote Code-Execution Hole ∗∗∗ --------------------------------------------- Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari. --------------------------------------------- https://threatpost.com/apple-webkit-remote-code-execution/164595/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd). --------------------------------------------- https://lwn.net/Articles/848835/ ∗∗∗ Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components ∗∗∗ --------------------------------------------- Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products. --------------------------------------------- https://www.securityweek.com/siemens-releases-several-advisories-vulnerabil… ∗∗∗ Synology-SA-21:11 Download Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_11 ∗∗∗ Synology-SA-21:10 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_10 ∗∗∗ SAP Security Patch Day - March 2021 ∗∗∗ --------------------------------------------- On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 ∗∗∗ Microsoft Exchange attacks: Now Microsoft rushes out a patch for these unsupported Exchange servers, too ∗∗∗ --------------------------------------------- Microsoft provides more patches for critical Exchange vulnerabilities that are being exploited widely on the internet. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rush… ∗∗∗ Squid: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0241 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0247 ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring returns potentially sensitive information in headers which could lead to further attacks against the system. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Google Protocol Buffers as used by IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-protocol-buffers-a… ∗∗∗ Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow – CVE-2021-20358 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-leakage-vulne… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in JAVA affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerability in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2021
by Daily end-of-shift report 08 Mar '21

08 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-03-2021 18:30 − Montag 08-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angriffe auf Exchange-Server – Microsoft stellt Prüf-Skript für Admins bereit ∗∗∗ --------------------------------------------- Sicherheitslücken im Exchange-Server ziehen derzeit Angriffe auf sich. Microsoft stellt ein Skript bereit, mit dem Administratoren ihre Systeme prüfen können. --------------------------------------------- https://heise.de/-5073827 ∗∗∗ A Basic Timeline of the Exchange Mass-Hack ∗∗∗ --------------------------------------------- Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Heres a brief timeline of what we know leading up to last weeks mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. --------------------------------------------- https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-h… ∗∗∗ Ransomware gang plans to call victims business partners about attacks ∗∗∗ --------------------------------------------- The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victims business partners to generate ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-cal… ∗∗∗ Spotting the Red Team on VirusTotal!, (Sat, Mar 6th) ∗∗∗ --------------------------------------------- Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! --------------------------------------------- https://isc.sans.edu/diary/rss/27174 ∗∗∗ The January/February 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Dependency confusion - when trust is too good to be true Water hacking - not a new trendy sport, but [...] --------------------------------------------- https://securityblog.switch.ch/2021/03/08/the-january-february-2021-issue-o… ∗∗∗ Domain dumpster diving ∗∗∗ --------------------------------------------- By Jaeson Schultz. Dumpster diving - searching through the trash looking for items of value - has long been a staple of hacking culture. In the 1995 movie "Hackers," Acid Burn and Crash Override are seen dumpster diving for information they can use to help them "hack the Gibson." Of course, not all trash is physical garbage located in a dumpster behind an office building. Some trash is virtual. --------------------------------------------- https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html ∗∗∗ Bazar Drops the Anchor ∗∗∗ --------------------------------------------- The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage [...] --------------------------------------------- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical 0-day in The Plus Addons for Elementor Allows Site Takeover ∗∗∗ --------------------------------------------- Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2). --------------------------------------------- https://lwn.net/Articles/848710/ ∗∗∗ Linux kernel vulnerability CVE-2019-18282 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32380005 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14779,CVE-2020-14796, CVE-2020-14797,CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's provider org registration flow is vulnerable to impersonation and sensitive information leak. CVE-2020-4903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-provider… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via Node.js (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: IBM API Connect V10 is impacted by insecure communications during database replication (CVE-2020-4695) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v10-is-im… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to an RCE attack (CVE-2020-5014) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2021
by Daily end-of-shift report 05 Mar '21

05 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-03-2021 18:30 − Freitag 05-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft: Exchange updates can install without fixing vulnerabilities ∗∗∗ --------------------------------------------- Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-c… ∗∗∗ D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant ∗∗∗ --------------------------------------------- A new variant of the Gafgyt botnet - thats actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say. --------------------------------------------- https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ ∗∗∗ QNAP NAS users, make sure you check your system ∗∗∗ --------------------------------------------- On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities. --------------------------------------------- https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ∗∗∗ Spam Farm Spotted in the Wild, (Fri, Mar 5th) ∗∗∗ --------------------------------------------- If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. --------------------------------------------- https://isc.sans.edu/diary/rss/27170 ∗∗∗ Kampf der Excel-Schadsoftware: AMSI gegen verseuchten XML-Code ∗∗∗ --------------------------------------------- Microsoft baut sein Antimalware Scan Interface (AMSI) aus. Neben VBA- kann es jetzt auch XML-Code scannen. --------------------------------------------- https://heise.de/-5073364 ∗∗∗ QNAPCrypt and SunCrypt Ransomware Connection ∗∗∗ --------------------------------------------- Intezer has published a blog posting that provides an analysis of the connections between the QNAPCrypt and SunCrypt ransomware. SunCrypt is affiliate ransomware service while QNAPCrypt surfaced in 2019 and was used to target devices from QNAP and Synology. The analysis concludes that the current SunCrypt ransomware shares many similarities [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75ee68a919cad9c434c63bfb0e3… ∗∗∗ GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence ∗∗∗ --------------------------------------------- Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM - the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Acht neue Schwachstellen im Bootloader ∗∗∗ --------------------------------------------- Die Entwickler von Grub 2 haben mehrere Lücken gemeldet. Einige davon können erneut Secure Boot aushebeln, was den Update-Prozess deutlich verkompliziert. --------------------------------------------- https://heise.de/-5073481 ∗∗∗ Benchmarking-Tool VMware View Planner ist für Schadcode anfällig ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware View Planner. Unter bestimmten Voraussetzungen könnten Angreifer eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5073000 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa). --------------------------------------------- https://lwn.net/Articles/848416/ ∗∗∗ Supermicro, Pulse Secure Respond to Trickbots Ability to Target Firmware ∗∗∗ --------------------------------------------- Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware. --------------------------------------------- https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-abil… ∗∗∗ ICS-CERT Advisories March 04 2021 ∗∗∗ --------------------------------------------- The ICS-CERT has published 2 advisories that affect Rockwell Automation 1734-AENTR Series B and Series C, and Schneider Electric EcoStruxure Building Operation (EBO). Further information is available from the advisories which are summarised below. https://us-cert.cisa.gov/ics/advisories/icsa-21-063-01 https://us-cert.cisa.gov/ics/advisories/icsa-21-063-02 --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/32af714c7074693f32dfa23b263… ∗∗∗ BIND vulnerability CVE-2020-8625 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13591074?utm_source=f5support&utm_mediu… ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0238 ∗∗∗ Security Bulletin: Google-api-client as used by IBM QRadar SIEM is vulnerable to authorization bypass (CVE-2020-7692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (March 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2021
by Daily end-of-shift report 04 Mar '21

04 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-03-2021 18:30 − Donnerstag 04-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researcher bitsquats Microsofts windows.com to steal traffic ∗∗∗ --------------------------------------------- A researcher was able to bitsquat Microsofts windows.com domain by cybersquatting variations of windows.com. Adversaries can abuse this tactic to conduct automated attacks or collect data due to the nature of bit flipping. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microso… ∗∗∗ Trojan Spyware and BEC Attacks ∗∗∗ --------------------------------------------- When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more [...] --------------------------------------------- https://blog.sucuri.net/2021/03/trojan-spyware-and-bec-attacks.html ∗∗∗ Cybercriminals Finding Ways to Bypass 3D Secure Fraud Prevention System ∗∗∗ --------------------------------------------- Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions. --------------------------------------------- https://www.securityweek.com/cybercriminals-finding-ways-bypass-3d-secure-f… ∗∗∗ Kryptowährung einzahlen und das Doppelte zurückerhalten? FAKE! ∗∗∗ --------------------------------------------- Die Watchlist Internet sowie die Internet Ombudsstelle erhalten immer häufiger Nachrichten verzweifelter KonsumentInnen. Sie bezahlen hohe Beträge in Kryptowährungen wie Bitcoin, Ethereum oder Ripple auf betrügerischen Plattformen ein, die eine Rückzahlung des Doppelten oder eines Vielfachen des Betrags versprechen. Jegliche Einzahlung ist verloren und das Geld kann nicht mehr zurückgeholt werden! --------------------------------------------- https://www.watchlist-internet.at/news/kryptowaehrung-einzahlen-und-das-dop… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows DNS SIGRed bug gets first public RCE PoC exploit ∗∗∗ --------------------------------------------- A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-… ∗∗∗ D-Link: Update für Wireless Access Point DAP-2020 beseitigt drei Schwachstellen ∗∗∗ --------------------------------------------- Ein wichtiges Firmware-Update beseitigt Angriffsmöglichkeiten aus benachbarten Netzwerken ohne Authentifizierung. --------------------------------------------- https://heise.de/-5071286 ∗∗∗ XSA-367 - Linux: netback fails to honor grant mapping errors ∗∗∗ --------------------------------------------- A malicious or buggy networking frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. In a typical (non-disaggregated) system that is a host-wide denial of service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-367.html ∗∗∗ XSA-369 - Linux: special config may crash when trying to map foreign pages ∗∗∗ --------------------------------------------- A Dom0 or driver domain based on a Linux kernel (configured as described above) can be crashed by a malicious guest administrator, or possibly malicious unprivileged guest processes. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-369.html ∗∗∗ Critical Vulnerability Patched in WooCommerce Upload Files ∗∗∗ --------------------------------------------- On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-wo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/848223/ ∗∗∗ High severity Linux network security holes found, fixed ∗∗∗ --------------------------------------------- This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available. --------------------------------------------- https://www.zdnet.com/article/linux-network-security-holes-found-fixed/ ∗∗∗ Shodan Verified Vulns 2021-03-01 ∗∗∗ --------------------------------------------- Ein weiteres Monat ist vorbei und wir werfen wieder einen Blick auf die Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-03-01 ergibt sich folgendes Bild: Zum Vormonat hat sich damit fast gar nichts verändert, nur der Gastauftritt von CVE-2019-19781 a.k.a. "Shitrix" im Jänner ist anscheinend wieder vorbei. Eine Übersicht und weiterführende Links zu allen "Verified Vulnerabilities", die Shodan in Österreich gefunden hat, findet [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/shodan-verified-vulns-2021-03-01 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11 ( CVE-2020-7788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a systemd vulnerability (CVE-2019-20386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libexpat vulnerabilities (CVE-2018-20843, CVE-2019-15903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libxslt vulnerabilities (CVE-2019-11068, CVE-2019-18197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2021
by Daily end-of-shift report 03 Mar '21

03 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-03-2021 18:00 − Mittwoch 03-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Qakbot infection with Cobalt Strike, (Wed, Mar 3rd) ∗∗∗ --------------------------------------------- On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. --------------------------------------------- https://isc.sans.edu/diary/rss/27158 ∗∗∗ Qualys hit with ransomware: Customer invoices leaked on extortionists Tor blog ∗∗∗ --------------------------------------------- Ace infosec biz aware and investigating, were told Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/03/03/qualys_ranso… ∗∗∗ „Urlaubsguru ReiseWelt“ bewirbt Fake-Reiseangebote auf Facebook und Instagram ∗∗∗ --------------------------------------------- 12 Nächte Malediven oder zwei Wochen Thailand? Und das zu einem unschlagbaren Preis und mit der Versicherung 48 Stunden vor der Reise kostenlos stornieren zu können? Das klingt zu gut, um wahr zu sein? Ist es in diesem Fall auch. Auf Facebook und Instagram bewirbt der betrügerische Anbieter „Urlaubsguru ReiseWelt“ unglaubliche Angebote. Doch statt der versprochenen Traumreise, wird Ihnen nur das Geld gestohlen. --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsguru-reisewelt-bewirbt-fake-r… ∗∗∗ Threat Actor Group Cloud Atlas Tracked by DomainTools Researchers ∗∗∗ --------------------------------------------- Researchers from DomainTools continue to see an APT group known as Cloud Atlas (also known as Inception) run campaigns which primarily focus on targeting countries formerly part of the Soviet Union with an emphasis on energy and political themes. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/ca6c08f0161ffd21cad662b80fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Android-Patchday: Kritische Remote-Sicherheitslücke aus Betriebssystem beseitigt ∗∗∗ --------------------------------------------- Zum Patchday im März hat Google unter anderem mehrere kritische Sicherheitslücken aus Android entfernt. Pixel-Geräte erhalten zahlreiche Zusatz-Patches. --------------------------------------------- https://heise.de/-5070821 ∗∗∗ Medium Severity Vulnerability Patched in User Profile Picture Plugin ∗∗∗ --------------------------------------------- On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information. --------------------------------------------- https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patche… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa). --------------------------------------------- https://lwn.net/Articles/848089/ ∗∗∗ Kritische Sicherheitslücken in Microsoft Exchange Server - Patches verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des üblichen Update-Zyklus mehrere Patches für Microsoft Exchange zur Verfügung gestellt. Einige der darin behobenen Sicherheitslücken werden nach Angaben von Microsoft und der IT-Sicherheits-Firma Volexity bereits aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/warnungen/2021/3/kritische-sicherheitslucken-in-microsof… ∗∗∗ Side Channel Key Extraction Vulnerability in Bosch IP Cameras and Encoders ∗∗∗ --------------------------------------------- BOSCH-SA-762869-BT: A recently discovered side channel attack for the NXP P5x security microcontrollers was made public. It allows attackers to extract an ECDSA private key after extensive physical access to the chip. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-762869-bt.html ∗∗∗ Cisco Security Advisories - March 3rd, 2021 ∗∗∗ --------------------------------------------- Cisco has published thirteen Security Advisories. Of the advisories, one is rated as High and twelve are rated as Medium. For all advisories listed below, it is noted that Ciscos Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities" [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/a3892fab975bdb6f39d025581db… ∗∗∗ SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000285675 ∗∗∗ Security Bulletin: IBM Security Verify Bridge uses a hard-coded key to encrypt the client secret (CVE-2021-20442) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridg… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js proxy library that has a known vulnerability (183561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Security Verify Bridge uses relatively weak cryptographic algorithms in two of its functions (CVE-2021-20441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridg… ∗∗∗ Security Bulletin: Android Mobile SDK compile builder includes vulnerable components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-android-mobile-sdk-compil… ∗∗∗ VMSA-2021-0003 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0003.html ∗∗∗ Linux nfsd kernel vulnerability CVE-2020-24394 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04553557?utm_source=f5support&utm_mediu… ∗∗∗ Hitachi ABB Power Grids Ellipse EAM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-01 ∗∗∗ Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-02 ∗∗∗ MB connect line mbCONNECT24, mymbCONNECT24 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2021
by Daily end-of-shift report 02 Mar '21

02 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-03-2021 18:00 − Dienstag 02-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ European e-ticketing platform Ticketcounter extorted in data breach ∗∗∗ --------------------------------------------- A Dutch e-Ticketing platform has suffered a data breach after a user database containing 1.9 million unique email addresses was stolen from an unsecured staging server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-e-ticketing-platfor… ∗∗∗ Bruce Schneier: Auch das Wirtschaftssystem trägt Schuld am Solarwinds-Hack ∗∗∗ --------------------------------------------- Mit schlechter IT-Sicherheit würden Gewinne gemacht, während Verbraucher und Gesellschaft die Risiken trügen. Das muss sich laut Schneier ändern. --------------------------------------------- https://www.golem.de/news/bruce-schneier-auch-das-wirtschaftssystem-traegt-… ∗∗∗ Inside the Ransomware Economy ∗∗∗ --------------------------------------------- The trouble with ransomware is well known at this point. From Egregor to Doppelpaymer to Ryuk, it continues to command headlines. Pandemic-fueled phishing scams, the lack of visibility across remote endpoints, and lax attitudes have been a boon for ransomware groups over the last year. Worst of all, ransomware no longer discriminates. It dominates small towns and municipal offices, video game makers, and shamelessly, healthcare organizations and school systems already pushed to the brink by the COVID-19 pandemic. The threat could still become more pervasive over the next two to three years, not because ransomware is effective in and of itself but because of other players in the game - insurance companies, brokers, and even attorneys - that continue to fan the flames. --------------------------------------------- https://www.securityweek.com/inside-ransomware-economy ∗∗∗ Einreiseanmeldung für Deutschland nicht über „digitale-einreiseanmeldung.de“ vornehmen ∗∗∗ --------------------------------------------- Die Corona-Pandemie erschwert die Einreise in andere Länder erheblich. Für eine Reise nach Deutschland muss beispielsweise unter Umständen zuvor eine digitale Einreisanmeldung vorgenommen werden. Bei der Recherche über Einreisebestimmungen stoßen Reisende jedoch oftmals auf unseriöse Websites, die die digitale Einreisanmeldung kostenpflichtig anbieten. Nehmen Sie von kostenpflichtigen Angeboten zur Einreiseanmeldung Abstand. Es ist unklar, ob diese Anbieter Ihre [...] --------------------------------------------- https://www.watchlist-internet.at/news/einreiseanmeldung-fuer-deutschland-n… ∗∗∗ Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns ∗∗∗ --------------------------------------------- Cybercriminals use fast flux to maintain uptime for malicious activities. We show how it works in a fictional scenario and real-world case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/fast-flux-101/ ∗∗∗ Povlsomware Ransomware ∗∗∗ --------------------------------------------- Povlsomware markets itself as a proof-of-concept (POC) ransomware designed to test security vendor products. Trend Micro reports on some interesting capabilities associated with the malware. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e7d232e9df181a3c873c3eaeb56… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin - March 2021 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2021-03-01 ∗∗∗ Zehn Sicherheitslücken in Server-Konfigurationssoftware Saltstack geschlossen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Serversoftware Saltstack. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-5069120 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/847944/ ∗∗∗ Joomla! Security Announcements ∗∗∗ --------------------------------------------- [20210301] - Core - Insecure randomness within 2FA secret generation https://developer.joomla.org:443/security-centre/841-20210301-core-insecure… [20210302] - Core - Potential Insecure FOFEncryptRandval https://developer.joomla.org:443/security-centre/842-20210302-core-potentia… [20210303] - Core - XSS within alert messages showed to users https://developer.joomla.org:443/security-centre/843-20210303-core-xss-with… [20210304] - Core - XSS within the feed parser library https://developer.joomla.org:443/security-centre/844-20210304-core-xss-with… [20210305] - Core - Input validation within the template manager https://developer.joomla.org:443/security-centre/845-20210305-core-input-va… [20210306] - Core - com_media allowed paths that are not intended for image uploads https://developer.joomla.org:443/security-centre/846-20210306-core-com-medi… [20210307] - Core - ACL violation within com_content frontend editing https://developer.joomla.org:443/security-centre/847-20210307-core-acl-viol… [20210308] - Core - Path Traversal within joomla/archive zip class https://developer.joomla.org:443/security-centre/848-20210308-core-path-tra… [20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field https://developer.joomla.org:443/security-centre/849-20210309-core-inadequa… --------------------------------------------- https://developer.joomla.org/security-centre.html ∗∗∗ Linux NFS kernel vulnerablity CVE-2020-25212 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42355373 ∗∗∗ [webapps] Tiny Tiny RSS - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49606 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center has addressed multiple vulnerabilities (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: Datacap Taskmaster Capture is affected by vulnerable to AppScan's SSLv3 Client Hello with CBC cipher suites that contain TLS_FALLBACK_SCSV ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-captur… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily