Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 25.05.2021
by Daily end-of-shift report 25 May '21

25 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-05-2021 18:00 − Dienstag 25-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-… ∗∗∗ Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-6052749 ∗∗∗ Qnap sichert NAS spät gegen Qlocker-Attacken ab ∗∗∗ --------------------------------------------- Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches. --------------------------------------------- https://heise.de/-6052783 ∗∗∗ Evolution of JSWorm ransomware ∗∗∗ --------------------------------------------- There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm. --------------------------------------------- https://securelist.com/evolution-of-jsworm-ransomware/102428/ ∗∗∗ "Serverless" Phishing Campaign, (Sat, May 22nd) ∗∗∗ --------------------------------------------- The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code. --------------------------------------------- https://isc.sans.edu/diary/rss/27446 ∗∗∗ Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd) ∗∗∗ --------------------------------------------- Brad posted another malware analysis with capture file of Cobalt Strike traffic. --------------------------------------------- https://isc.sans.edu/diary/rss/27448 ∗∗∗ Web Applications and Internal Penetration Tests ∗∗∗ --------------------------------------------- Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applica… ∗∗∗ Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS --------------------------------------------- https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.ht… ∗∗∗ OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ∗∗∗ --------------------------------------------- Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit. --------------------------------------------- https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticat… ∗∗∗ DarkChronicles: the consequences of the Colonial Pipeline attack ∗∗∗ --------------------------------------------- This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-conseq… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ VU#667933: Pulse Connect Secure Samba buffer overflow ∗∗∗ --------------------------------------------- Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code. --------------------------------------------- https://kb.cert.org/vuls/id/667933 ∗∗∗ Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen. --------------------------------------------- https://heise.de/-6053146 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat). --------------------------------------------- https://lwn.net/Articles/857132/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby). --------------------------------------------- https://lwn.net/Articles/857212/ ∗∗∗ [20210503] - Core - CSRF in data download endpoints ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-… ∗∗∗ [20210502] - Core - CSRF in AJAX reordering endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-… ∗∗∗ [20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/852-20210501-core-adding-h… ∗∗∗ Pulse Secure VPNs Get Quick Fix for Critical RCE ∗∗∗ --------------------------------------------- https://threatpost.com/pulse-secure-vpns-critical-rce/166437/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ NGINX Controller vulnerability CVE-2021-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97002210 ∗∗∗ NGINX Controller vulnerability CVE-2021-23021 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36926027 ∗∗∗ NGINX Controller vulnerability CVE-2021-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45263486 ∗∗∗ SYSS-2021-010: Path Traversal in LANCOM R&S Unified Firewalls ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-010-path-traversal-in-lancom-rs-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2021
by Daily end-of-shift report 21 May '21

21 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-05-2021 18:00 − Freitag 21-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mail-Verschlüsselung: Thunderbird schlampte mit PGP-Schlüsseln ∗∗∗ --------------------------------------------- Die OpenPGP-Implementierung des Open-Source-Mailers Thunderbird speicherte die geheimen Schlüssel im Klartext. --------------------------------------------- https://heise.de/-6051767 ∗∗∗ QNAP confirms Qlocker ransomware used HBS backdoor account ∗∗∗ --------------------------------------------- QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-confirms-qlocker-ransom… ∗∗∗ Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st) ∗∗∗ --------------------------------------------- For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is to make our life more difficult (read: "frustrating"). There are plenty of techniques that can be implemented but it's an ever-ongoing process. --------------------------------------------- https://isc.sans.edu/diary/rss/27444 ∗∗∗ Double-Encrypting Ransomware ∗∗∗ --------------------------------------------- This seems to be a new tactic: Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything. --------------------------------------------- https://www.schneier.com/blog/archives/2021/05/double-encrypting-ransomware… ∗∗∗ 21nails: Reporting on Vulnerable SMTP/Exim Servers ∗∗∗ --------------------------------------------- We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner [...] --------------------------------------------- https://www.shadowserver.org/news/21nails-reporting-on-vulnerable-smtp-exim… ∗∗∗ Project Zero: Fuzzing iOS code on macOS at native speed ∗∗∗ --------------------------------------------- This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at… ∗∗∗ Microsoft Unveils SimuLand: Open Source Attack Techniques Simulator ∗∗∗ --------------------------------------------- Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. --------------------------------------------- https://www.securityweek.com/microsoft-unveils-simuland-open-source-attack-… ∗∗∗ Getting a persistent shell on a 747 IFE ∗∗∗ --------------------------------------------- TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/getting-a-persistent-shell-on… ∗∗∗ New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th) ∗∗∗ --------------------------------------------- [...] I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. --------------------------------------------- https://isc.sans.edu/diary/rss/27440 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Heap-based buffer overflow in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-hea… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine). --------------------------------------------- https://lwn.net/Articles/856902/ ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerabilitiy has been fixed in IBM Security Identity Manager Virtual Appliance(CVE-2019-17006) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilitiy… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by an Information disclosure vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which could allow access to sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2021
by Daily end-of-shift report 20 May '21

20 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-05-2021 18:00 − Donnerstag 20-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange bleibt Hauptangriffsziel in der Microsoft-Cloud ∗∗∗ --------------------------------------------- Vectra AI hat die zehn wichtigsten Bedrohungen in Azure AD und Office 365 aufgelistet. Exchange bleibt für Angreifer offenbar unverändert attraktiv. --------------------------------------------- https://heise.de/-6050650 ∗∗∗ Cisco bringt Security-Updates ∗∗∗ --------------------------------------------- Cisco hat einige Updates zu Sicherheitsprodukten angekündigt, darunter das Major Release 7.0 der Secure Firewall Threat Defense und die Integration von Snort 3. --------------------------------------------- https://heise.de/-6049957 ∗∗∗ Attacken auf Android: Jetzt patchen! Wenn es denn Sicherheitsupdates gibt ... ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Android-Geräte abgesehen. Patches gibt es aber in der Regel nur für aktuelle Smartphones und Tablets. --------------------------------------------- https://heise.de/-6050515 ∗∗∗ Fake-Shops: So erkennen Sie betrügerische Online-Shops! ∗∗∗ --------------------------------------------- Das Problem betrügerischer Online-Shops - besser bekannt als Fake-Shops - nimmt weiterhin zu. Damit Sie die unterschiedlichen Arten von Fake-Shops schnell erkennen, beschreiben wir im folgenden Artikel die gängigsten Formen und worauf bei diesen besonders aufzupassen ist. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-so-erkennen-sie-betrueger… ∗∗∗ Qlocker ransomware shuts down after extorting hundreds of QNAP users ∗∗∗ --------------------------------------------- The Qlocker ransomware gang has shut down their operation after earning $350,000 in a month by exploiting vulnerabilities in QNAP NAS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qlocker-ransomware-shuts-dow… ∗∗∗ Keksec Cybergang Debuts Simps Botnet for Gaming DDoS ∗∗∗ --------------------------------------------- The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities. --------------------------------------------- https://threatpost.com/keksec-simps-botnet-gaming-ddos/166306/ ∗∗∗ BazarCall: Call Centers Help Spread BazarLoader Malware ∗∗∗ --------------------------------------------- Call center operators offer to personally guide victims through a process designed to infect vulnerable computers with BazarLoader malware. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-malware/ ∗∗∗ Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/19/update-cisa-fbi-j… ∗∗∗ Misconfiguration of third party cloud services exposed data of over 100 million users ∗∗∗ --------------------------------------------- After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes. --------------------------------------------- https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-clou… ∗∗∗ Microsoft warns of malware campaign spreading a RAT masquerading as ransomware ∗∗∗ --------------------------------------------- The Microsoft security team has published details on Wednesday about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. --------------------------------------------- https://therecord.media/microsoft-warns-of-malware-campaign-spreading-a-rat… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-601: Ubiquiti Networks EdgeOS Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ubiquiti Networks EdgeOS on EdgeRouter X, EdgeRouter Pro X SFP, EdgeRouter 10X and EdgePoint 6-port routers. User interaction is required to exploit this vulnerability in that an administrator must perform a firmware update on the device. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-601/ ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in macOS SMB server ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable integer overflow vulnerability in Apple macOS’ SMB server that could lead to information disclosure. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-smb-information-d… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel). --------------------------------------------- https://lwn.net/Articles/856775/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/20/cisco-releases-se… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within libcurl (CVE-2020-8284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability in Node.js braces and netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager (CVE-2021-29687, CVE-2021-29688) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-014 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2021
by Daily end-of-shift report 19 May '21

19 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-05-2021 18:00 − Mittwoch 19-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MountLocker ransomware uses Windows API to worm through networks ∗∗∗ --------------------------------------------- The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-… ∗∗∗ Transparent Tribe APT Infrastructure Mapping ∗∗∗ --------------------------------------------- Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. --------------------------------------------- https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure… ∗∗∗ May 2021 Forensic Contest: Answers and Analysis, (Wed, May 19th) ∗∗∗ --------------------------------------------- You can still find the pcap for our May 2021 forensic contest at this Github repository. --------------------------------------------- https://isc.sans.edu/diary/rss/27430 ∗∗∗ When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar ∗∗∗ --------------------------------------------- The purpose behind this investigative anecdote on the “water watering hole” is educational and highlights how sometimes two intrusions just don’t line up together no matter how much coincidence there is. --------------------------------------------- https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/ ∗∗∗ Instagram-NutzerInnen aufgepasst: Unseriöse Shops locken mit angeblicher Kooperation! ∗∗∗ --------------------------------------------- Auf Instagram tauchen immer wieder unseriöse Online-Shops auf. Die BetreiberInnen dieser Shops wenden unterschiedliche Maschen an, um ihre Produkte zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nutzerinnen-aufgepasst-uns… ∗∗∗ Crypto-mining gangs are running amok on free cloud computing platforms ∗∗∗ --------------------------------------------- Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms. --------------------------------------------- https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Pega Infinity patches authentication vulnerability ∗∗∗ --------------------------------------------- Pega Infinity is a popular enterprise software and researchers found a flaw in the authentication process by using a password reset weakness. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/pega-inf… ∗∗∗ Over 600,000 Sites Impacted by WP Statistics Patch ∗∗∗ --------------------------------------------- On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-sta… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, and hivex), Red Hat (bash, bind, bluez, brotli, container-tools:rhel8, cpio, curl, dotnet3.1, dotnet5.0, dovecot, evolution, exiv2, freerdp, ghostscript, glibc, GNOME, go-toolset:rhel8, grafana, gssdp and gupnp, httpd:2.4, idm:DL1, idm:DL1 and idm:client, ipa, kernel, kernel-rt, krb5, libdb, libvncserver, libxml2, linux-firmware, mailman:2.1, mingw packages, NetworkManager and libnma, opensc, p11-kit, pandoc, perl, [...] --------------------------------------------- https://lwn.net/Articles/856649/ ∗∗∗ Researchers Find Exploitable Bugs in Mercedes-Benz Cars ∗∗∗ --------------------------------------------- Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution. --------------------------------------------- https://www.securityweek.com/researchers-find-exploitable-bugs-mercedes-ben… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei CloudEngine Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-client-side-http-paramete… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Access Control Security Vulnerability Exists in Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2020-4646) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-security-v… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerablities in IBM SDK, Java Technology Edition Quarterly. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablities-in-ibm-sdk… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Gdk-pixbuf vulnerability CVE-2017-2862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36984830 ∗∗∗ Linux kernel vulnerability CVE-2019-20811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52525232 ∗∗∗ BIND vulnerability CVE-2021-25215 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96223611 ∗∗∗ BIND vulnerability CVE-2021-25214 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11426315 ∗∗∗ BOSCH-SA-350374: Vulnerability in the routing protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-350374.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2021
by Daily end-of-shift report 18 May '21

18 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 17-05-2021 18:00 − Dienstag 18-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate steht noch aus: Root-Lücke in Pulse Connect Secure ∗∗∗ --------------------------------------------- Angreifer könnten VPN Appliances vom Typ Pulse Connect Secure attackieren. Bislang ist nur eine Übergangslösung zu Absicherung verfügbar. --------------------------------------------- https://heise.de/-6048342 ∗∗∗ Unternehmen erhalten gefälschtes Schreiben vom "WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe" ∗∗∗ --------------------------------------------- Zahlreiche UnternehmerInnen erhalten momentan einen Brief vom „WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe“ – angeblich eine Behörde zur Verwaltung von Firmendaten. Im Schreiben werden Sie aufgefordert, Ihre Daten zu überprüfen und ggf. zu korrigieren und zu ergänzen. Tun Sie das keinesfalls – es handelt sich um Betrug. Sie werden in eine Abo-Falle gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-erhalten-gefaelschtes-sc… ∗∗∗ Ransomware victim shows why transparency in attacks matters ∗∗∗ --------------------------------------------- As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a companys response to an attack that should be used as a model for all future disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-victim-shows-why-… ∗∗∗ Codecov hackers gained access to Monday.com source code ∗∗∗ --------------------------------------------- Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies. As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-hackers-gained-acces… ∗∗∗ DarkSide Hits Toshiba; XSS Forum Bans Ransomware ∗∗∗ --------------------------------------------- The criminal forum washed its hands of ransomware after DarkSides pipeline attack & alleged shutdown: A "loss of servers" that didnt stop another attack. --------------------------------------------- https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/ ∗∗∗ From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th) ∗∗∗ --------------------------------------------- I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27428 ∗∗∗ Exploitation of Sharepoint 2016: Simple Things Matter – Case Study ∗∗∗ --------------------------------------------- This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version 16.0.0.4681. I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018). At that point, I started looking for publicly known exploits and research papers. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploitatio… ∗∗∗ Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic ∗∗∗ --------------------------------------------- During a recent operation, the Red Team got local admin privileges on a workstation where an EDR solution was identified. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access. --------------------------------------------- https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-… ∗∗∗ Scammers Impersonating Windows Defender to Push Malicious Windows Apps ∗∗∗ --------------------------------------------- Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications […]The post Scammers Impersonating Windows Defender to Push Malicious --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating… ∗∗∗ CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Microsoft Internet Information Services (IIS) for Windows. The bug was originally discovered by the Microsoft Platform Security & Vulnerability Research team. The following is a portion of their write-up covering CVE-2021-31166, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execut… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-594: (0Day) Microsoft Windows JET Database Engine Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-594/ ∗∗∗ About the security content of Boot Camp 6.1.14 ∗∗∗ --------------------------------------------- Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved state management. --------------------------------------------- https://support.apple.com/en-us/HT212517 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre). --------------------------------------------- https://lwn.net/Articles/856496/ ∗∗∗ Emerson Rosemount X-STREAM ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, Unrestricted Upload of File with Dangerous Type, Path Traversal, Use of Persistent Cookies Containing Sensitive Information, Cross-site Scripting, and Improper Restriction of Rendered UI Layers or Frames vulnerabilities for the Rosemount X-STREAM Gas Analyzer. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0536 ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0533 ∗∗∗ KLCERT-20-021: Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-019: Moxa NPort IA5000A Series. Passwords stored in plaintext ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2021
by Daily end-of-shift report 17 May '21

17 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-05-2021 18:00 − Montag 17-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for wormable Windows HTTP vulnerability ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-wormabl… ∗∗∗ Bizarro banking Trojan expands its attacks to Europe ∗∗∗ --------------------------------------------- Bizarro is yet another banking Trojan family originating from Brazil that steals credentials from customers of 70 banks from different European and South American countries. --------------------------------------------- https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe… ∗∗∗ Ransomware Defenses, (Mon, May 17th) ∗∗∗ --------------------------------------------- Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27420 ∗∗∗ AHK RAT Loader Used in Unique Delivery Campaigns ∗∗∗ --------------------------------------------- The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language - a fork of the AutoIt language that is frequently used for testing purposes. --------------------------------------------- https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-camp… ∗∗∗ Take action now - FluBot malware may be on its way ∗∗∗ --------------------------------------------- Why FluBot is a major threat for Android users, how to avoid falling victim, and how to get rid of the malware if your device has already been compromised --------------------------------------------- https://www.welivesecurity.com/2021/05/17/take-action-now-flubot-malware-ma… ∗∗∗ Two attacks disclosed against AMD’s SEV virtual machine protection system ∗∗∗ --------------------------------------------- Chipmaker AMD has issued guidance this week for two attacks against its SEV (Secure Encrypted Virtualization) technology that protects virtual machines from rogue operating systems. The two attacks, documented in two academic papers, can allow a threat actor to inject malicious code inside SEV-encrypted virtual machines, giving them full control over the VMs operating system. --------------------------------------------- https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-mach… ===================== = Vulnerabilities = ===================== ∗∗∗ Beckhoff Security Advisory 2021-002: Stack Overflow and XXE vulnerability in various OPC UA products ∗∗∗ --------------------------------------------- The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via the OPC UA protocol. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ SSA-695540: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2 ∗∗∗ --------------------------------------------- Siemens has released version V13.1.0.2 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in ASM and PAR file formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-695540.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libimage-exiftool-perl and postgresql-9.6), Fedora (chromium, exiv2, firefox, kernel, kernel-headers, kernel-tools, mariadb, and python-impacket), Mageia (avahi), openSUSE (chromium, drbd-utils, dtc, ipvsadm, jhead, nagios, netdata, openvpn, opera, prosody, and virtualbox), Slackware (libxml2), SUSE (kernel and lz4), and Ubuntu (intel-microcode, python-eventlet, and rust-pleaser). --------------------------------------------- https://lwn.net/Articles/856437/ ∗∗∗ Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Guava Google Core Libraries Vulnerability Affects IBM Control Center (CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-guava-google-core-librari… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is affected by an Information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-dataformat ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Apache Ant Vulnerabilities Affect IBM Control Center (CVE-2020-1945, CVE-2020-11979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-ant-vulnerabilitie… ∗∗∗ Security Bulletin: Multiple CKEditor Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ckeditor-vulnera… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Python (CVE-2020-15801) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-h2-database-vulnerabiliti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2021
by Daily end-of-shift report 14 May '21

14 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-05-2021 18:00 − Freitag 14-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Kritische Lücke bedroht WordPress 3.7 bis 5.7 ∗∗∗ --------------------------------------------- Viele WordPress-Websites sind verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6045823 ∗∗∗ DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized ∗∗∗ --------------------------------------------- The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained funds from an account the group uses to pay affiliates. --------------------------------------------- https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-se… ∗∗∗ Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity ∗∗∗ --------------------------------------------- This skimmer is using a hybrid approach to bypass detection and target vulnerable e-commerce websites. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-s… ∗∗∗ „Hier ist die letzte Warnung!“: Erpresser fordern Bitcoins ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit massenweise Erpressungsmails. Darin wird behauptet, dass das System der EmpfängerInnen gehackt wurde. Außerdem gäbe es ein Video, in dem ersichtlich wird, dass die betroffene Person einen Pornofilm sähe und dabei masturbiert. Die Kriminellen drohen, dieses Video zu veröffentlichen - außer man bezahlt 1.200$. Gehen Sie auf die Forderungen nicht ein, denn: Die Mails werden willkürlich an zahlreiche Menschen versendet. --------------------------------------------- https://www.watchlist-internet.at/news/hier-ist-die-letzte-warnung-erpresse… ∗∗∗ CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments. Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/14/cisa-publishes-ev… ∗∗∗ Microsoft: Windows 10 1809 and 1909 have reached end of service ∗∗∗ --------------------------------------------- Multiple editions of Windows 10 versions 1803, 1809, and 1909 have reached their End of Service (EOS) on this months Patch Tuesday, as Microsoft reminded customers yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-1809-a… ∗∗∗ Meet Lorenz - A new ransomware gang targeting the enterprise ∗∗∗ --------------------------------------------- A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware… ∗∗∗ Attackers abuse Microsoft dev tool to deploy Windows malware ∗∗∗ --------------------------------------------- Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-abuse-microsoft-de… ∗∗∗ QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day ∗∗∗ --------------------------------------------- QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage (NAS) devices, just two weeks after alerting them of an ongoing AgeLocker ransomware outbreak. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ranso… ∗∗∗ Fresh Loader Targets Aviation Victims with Spy RATs ∗∗∗ --------------------------------------------- The campaign is harvesting screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and more, with RevengeRAT or AsyncRAT payloads. --------------------------------------------- https://threatpost.com/loader-aviation-spy-rats/166133/ ∗∗∗ "Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th) ∗∗∗ --------------------------------------------- Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as said Jan, there is another issue with such infrastructures: remote access tools. --------------------------------------------- https://isc.sans.edu/diary/rss/27418 ∗∗∗ Server Side Scans and File Integrity Monitoring ∗∗∗ --------------------------------------------- When it comes to the ABCs of website security server side scans and file integrity monitoring are the “A” and “B”. In fact, our server side scanner is one of the most crucial tools in Sucuri’s arsenal. It’s paramount in maintaining an effective security product for our customers and analysts alike. This crucial tool handles tasks like issuing security warnings and alerts to our clients, notifying them that they have been compromised, and assisting our [...] --------------------------------------------- https://blog.sucuri.net/2021/05/server-side-scans-and-file-integrity-monito… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability was discovered under Pulse Connect Secure (PCS). This includes buffer overflow vulnerability on the Pulse Connect Secure gateway that allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800 ∗∗∗ Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Hosted Collaboration Mediation Fulfillment Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Java Management Extensions (JMX) component of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an unsecured TCP/IP port. An attacker could exploit this vulnerability by accessing the port and restarting the JMX process. A successful exploit could allow the attacker to cause a DoS condition on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Critical Vulnerability Patched in External Media Plugin ∗∗∗ --------------------------------------------- On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote [...] --------------------------------------------- https://www.wordfence.com/blog/2021/05/critical-vulnerability-patched-in-ex… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphviz and redmine), Fedora (dom4j, kernel, kernel-headers, kernel-tools, mariadb, php, php-phpmailer6, and redis), openSUSE (kernel and nagios), and Ubuntu (mysql-5.7, mysql-8.0 and python-django). --------------------------------------------- https://lwn.net/Articles/856177/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libgetdata, and postgresql-11), openSUSE (java-11-openjdk), SUSE (dtc, ibsim, ibutils, ipvsadm, and kernel), and Ubuntu (awstats and glibc). --------------------------------------------- https://lwn.net/Articles/856265/ ∗∗∗ Rockwell Automation Connected Components Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for Deserialization of Untrusted Data, Path Traversal, and Improper Input Validation vulnerabilities in Rockwell Automation Connected Components Workbench software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-01 ∗∗∗ Johnson Controls Sensormatic Tyco AI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics (a subsidiary of Johnson Controls) Tyco AI products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-02 ∗∗∗ OPC Foundation UA Products Built with .NET Framework ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in OPC Foundation servers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03 ∗∗∗ OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Unified Automation .NET based OPC UA Client/Server SDK Bundle Framework versions. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04 ∗∗∗ mod_auth_openidc vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN49704918/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0521 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0528 ∗∗∗ ILIAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0526 ∗∗∗ git: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0524 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2021
by Daily end-of-shift report 12 May '21

12 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-05-2021 18:00 − Mittwoch 12-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th) ∗∗∗ --------------------------------------------- With the recent ransomware attack that impacted operation of one of the major US pipelines, I thought it might be a good time to revisit the old topic of internet-connected industrial systems. --------------------------------------------- https://isc.sans.edu/diary/rss/27412 ∗∗∗ Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks ∗∗∗ --------------------------------------------- Three design and multiple implementation flaws have been disclosed in IEEE 802.11 technical standard that undergirds Wi-Fi, potentially enabling an adversary to take control over a system and plunder confidential data. --------------------------------------------- https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.ht… ∗∗∗ Shining a Light on DARKSIDE Ransomware Operations ∗∗∗ --------------------------------------------- Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-dar… ∗∗∗ Lebenslauf-Erstellung auf cvmaker.de führt zu Abo-Vertrag! ∗∗∗ --------------------------------------------- Sie sind auf Arbeitssuche und wollen einen professionellen Lebenslauf erstellen? Die Suche danach könnte Sie auf die Seite cvmaker.de führen. Dort können Sie schnell und unkompliziert den benötigten Lebenslauf erstellen und das für nur 2,95 Euro. Aber Achtung: Sieben Tage nachdem Sie bezahlt haben, schließen Sie automatisch ein Abo ab. --------------------------------------------- https://www.watchlist-internet.at/news/lebenslauf-erstellung-auf-cvmakerde-… ∗∗∗ „Ihre Lieferung befindet sich in unserem Zollzentrum“: Vorsicht vor betrügerischer SMS! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen der Watchlist Internet melden uns derzeit eine betrügerische SMS, die die EmpfängerInnen in eine Abo-Falle locken soll. Darin wird behauptet, dass sich eine Lieferung im Zollzentrum befindet und Importgebühren bezahlt werden müssen. --------------------------------------------- https://www.watchlist-internet.at/news/ihre-lieferung-befindet-sich-in-unse… ∗∗∗ Conti Ransomware ∗∗∗ --------------------------------------------- First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. --------------------------------------------- https://thedfirreport.com/2021/05/12/conti-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Send My: Arbitrary data transmission via Apples Find My network ∗∗∗ --------------------------------------------- Its possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices that then upload the data for you. --------------------------------------------- https://positive.security/blog/send-my ∗∗∗ Microsoft-Patchday: Windows-Trojaner könnte sich wurmartig auf PCs verbreiten ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Windows & Co. Mehrere Lücken sind bereits öffentlich bekannt. Attacken gibt es wohl noch nicht. --------------------------------------------- https://heise.de/-6044412 ∗∗∗ Adobe-Patchday: Attacken auf Adobe Acrobat und Reader ∗∗∗ --------------------------------------------- Adobe hat Sicherheitsupdates für verschiedene Anwendungen veröffentlicht. Vor allem Nutzer von Acrobat und Reader sollten die Patches zügig installieren. --------------------------------------------- https://heise.de/-6044528 ∗∗∗ SAP-Patchday: Angreifer könnten Daten von SAP-Software leaken ∗∗∗ --------------------------------------------- SAP hat Sicherheitsupdates für unter anderem Business One und NetWeaver AS ABAP veröffentlicht. --------------------------------------------- https://heise.de/-6044570 ∗∗∗ WLAN-Sicherheitslücken FragAttacks: Erste Updates ∗∗∗ --------------------------------------------- Für Windows, Linux, Router und WLAN-Adapter es bereits Patches oder zumindest Hinweise zum Schutz gegen die WLAN-Schwachstellen "FragAttacks". --------------------------------------------- https://heise.de/-6045116 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer, hivex, lz4, and rails), Fedora (chromium, community-mysql, djvulibre, dom4j, firefox, php, php-phpmailer6, python-django, and redis), Mageia (mariadb, nagios, and pngcheck), openSUSE (opera, syncthing, and vlc), SUSE (kernel, openvpn, openvpn-openssl1, shim, and xen), and Ubuntu (flatpak, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4,[...] --------------------------------------------- https://lwn.net/Articles/856086/ ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for RedHat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: A security vulnerability in Node.js glob-parent module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js Lodash module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Ansible affect IBM Cloud Pak for Multicloud Management Hybrid GRC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ May 10, 2021 TNS-2021-09 [R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-09 ∗∗∗ Synology-SA-21:20 FragAttacks ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_20 ∗∗∗ BlackBerry Workspaces Server: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0503 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0510 ∗∗∗ BlackBerry UEM Management Console: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0517 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0515 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-01 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-02 ∗∗∗ Siemens Mendix Database Replication Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-05 ∗∗∗ Siemens Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-08 ∗∗∗ SA44790 - HTTP Request Smuggling vulnerability with Virtual Traffic Manager (vTM) ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44790 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2021
by Daily end-of-shift report 11 May '21

11 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 10-05-2021 18:00 − Dienstag 11-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI aktualisiert den Mindeststandard zur Verwendung von Transport Layer Security (TLS) ∗∗∗ --------------------------------------------- Die neue Version 2.2 des Mindeststandards berücksichtigt die aktuellen Empfehlungen der technischen Richtlinien des BSI (TR 02102-2, TR 03116-4) und thematisiert den Umgang mit TLS-Protokoll-Versionen und kryptografischen Verfahren, die nicht den Vorgaben des Mindeststandards entsprechen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Gefälschtes E-Mail der bank99 im Umlauf ∗∗∗ --------------------------------------------- Ihr bank99-Konto wurde angeblich gesperrt, weil Sie Ihre Identität nicht bestätigt haben? Vorsicht, diese Kundenmitteilung ist gefälscht. Kriminelle fälschen bank99-E-Mails, um an Ihre Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den "Vorgang starten"-Link. Sie werden auf eine nachgebaute Login-Website geleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-der-bank99-im-um… ∗∗∗ US and Australia warn of escalating Avaddon ransomware attacks ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-australia-warn-of-esc… ∗∗∗ TeaBot: a new Android malware emerged in Italy, targets banks in Europe ∗∗∗ --------------------------------------------- [...] At the beginning of January 2021, a new Android banker started appearing and it was discovered and analysed by our Threat Intelligence and Incident Response (TIR) team. Since lack of information and the absence of a proper nomenclature of this Android banker family, we decide to dub it as TeaBot to better track this family inside our internal Threat Intelligence taxonomy. --------------------------------------------- https://www.cleafy.com/documents/teabot ∗∗∗ Beware of Applications Misusing Root Stores ∗∗∗ --------------------------------------------- We have been alerted about applications that use the root store provided by Mozilla for purposes other than what Mozilla’s root store is curated for. [...] Applications that use Mozilla’s root store for a purpose other than that have a critical security vulnerability. --------------------------------------------- https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusin… ∗∗∗ DarkSide Malware Profile ∗∗∗ --------------------------------------------- The following report provides X-Force Threat Intelligences analysis of the DarkSide ransomware family based on publicly available samples. Summary: DarkSide, like other ransomware used in targeted attacks, encrypts user data in compromised computers. Recent variants of DarkSide ransomware enumerates various system properties of the victim and beacons them in an encoded POST request to its C2 address. DarkSide also executes an encoded PowerShell command to delete volume shadow copies. It deletes [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/06d0917405c36ca91f5db1fe0c0… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hivex), Fedora (djvulibre and thunderbird), openSUSE (monitoring-plugins-smart and perl-Image-ExifTool), Oracle (kernel and kernel-container), Red Hat (kernel and kpatch-patch), SUSE (drbd-utils, java-11-openjdk, and python3), and Ubuntu (exiv2, firefox, libxstream-java, and pyyaml). --------------------------------------------- https://lwn.net/Articles/855995/ ∗∗∗ Synology-SA-21:19 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_19 ∗∗∗ Citrix Workspace App Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified that could result in a local user escalating their privilege level to SYSTEM on the computer running Citrix Workspace app for Windows. --------------------------------------------- https://support.citrix.com/article/CTX307794 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/google-releases-s… ∗∗∗ Reflected XSS Vulnerability in SIS Infromatik - Rewe Go ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infrom… ∗∗∗ SAP Patchday Mai ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0496 ∗∗∗ 2020-10Password Change Authentication Bypass Vulnerability in HiOS & HiSecOS ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=12914&mediaformat… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed an information disclosure vulnerability (CVE-2020-4536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a cross-site scripting vulnerability (CVE-2020-4535) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ SSA-854248: Information Disclosure Vulnerability in Mendix Excel Importer Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-854248.txt ∗∗∗ SSA-752103: Telnet Authentication Vulnerability in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-752103.txt ∗∗∗ SSA-723417: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-723417.txt ∗∗∗ SSA-678983: Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-678983.txt ∗∗∗ SSA-676775: Denial-of-Service Vulnerability in SIMATIC NET CP 343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-676775.txt ∗∗∗ SSA-594364: Denial-of-Service Vulnerability in SNMP Implementation of WinCC Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594364.txt ∗∗∗ SSA-501073: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-501073.txt ∗∗∗ SSA-324955: SAD DNS Attack in Linux Based Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-324955.txt ∗∗∗ SSA-286838: Multiple Vulnerabilities in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-286838.txt ∗∗∗ SSA-116379: Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-116379.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2021
by Daily end-of-shift report 10 May '21

10 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-05-2021 18:00 − Montag 10-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th) ∗∗∗ --------------------------------------------- Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets. --------------------------------------------- https://isc.sans.edu/diary/rss/27404 ∗∗∗ Manipulierte Entwicklungsumgebung: Xcode-Malware war enorm verbreitet ∗∗∗ --------------------------------------------- Im Verfahren Epic gegen Apple kam heraus, dass 2015 fast 130 Millionen iPhone-Nutzer von "XcodeGhost" betroffen waren – in über 2500 Apps. --------------------------------------------- https://heise.de/-6041836 ∗∗∗ Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs ∗∗∗ --------------------------------------------- Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns. Lemon Duck remains relevant as the operators begin to target [...] --------------------------------------------- https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html ∗∗∗ Banking‑Trojaner Ousaban analysiert ∗∗∗ --------------------------------------------- In unserer Serie zu lateinamerikanischen Banking-Trojanern betrachten wir einen Vertreter mit komplexen Vertriebsweg --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/05/07/banking-trojaner-ousaban-… ∗∗∗ Colonial Pipeline Falls Victim to Attack ∗∗∗ --------------------------------------------- Summary A top U.S. fuel pipeline company has suffered a cyber attack that has forced them to halt operations. Several news sources and the company itself have confirmed the attack. Threat Type Cyber Attack Overview ** Update May 10 - 8:50 AM** The most recent reporting indicates that the attack likely involved DarkSide, a ransomware-as-a-service (RaaS) affiliate operation. DarkSide posted the following statement to their leak site following the attack: We are apolitical, we do not participate in [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/cc757925ae0fdf1689518a35128… ∗∗∗ SolarWinds says fewer than 100 customers were impacted by supply chain attack ∗∗∗ --------------------------------------------- Texas-based software firm SolarWinds downgraded the number of customers impacted by its 2020 supply chain attack from 18,000 to less than 100. --------------------------------------------- https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impac… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit Reader bug lets attackers run malicious code via PDFs ∗∗∗ --------------------------------------------- Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attack… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml2), Fedora (autotrace, babel, kernel, libopenmpt, libxml2, mingw-exiv2, mingw-OpenEXR, mingw-openexr, python-markdown2, and samba), openSUSE (alpine, avahi, libxml2, p7zip, redis, syncthing, and vlc), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/855909/ ∗∗∗ Linux kernel vulnerability CVE-2020-1749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02186513 ∗∗∗ Security Bulletin: IBM CloudPak foundational services (Events Operator) is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloudpak-foundational… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to CVE-2021-20538 and CVE-2021-20577 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js urijs module affects IBM Cloud Pak for Multicloud Management Infrastructure management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability (CVE-2021-20559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-control-desk-is-vulne… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Codec ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily