Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 07.05.2021
by Daily end-of-shift report 07 May '21

07 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-05-2021 18:00 − Freitag 07-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cuba Ransomware partners with Hancitor for spam-fueled attacks ∗∗∗ --------------------------------------------- The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-partners-wit… ∗∗∗ MSM: Qualcomm-Modems in Millionen Smartphones angreifbar ∗∗∗ --------------------------------------------- Die Modems von Qualcomm könnten aus Android heraus angegriffen werden, um Gespräche mitzuhören. --------------------------------------------- https://www.golem.de/news/msm-qualcomm-modems-in-millionen-smartphones-angr… ∗∗∗ TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers ∗∗∗ --------------------------------------------- Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week. --------------------------------------------- https://www.securityweek.com/tsuname-vulnerability-can-be-exploited-ddos-at… ∗∗∗ Grill- und Gartensaison eröffnet: BetrügerInnen locken mit günstigen Angeboten! ∗∗∗ --------------------------------------------- Egal ob Werkzeuge zur Pflanzenpflege, ein neuer Griller, Terrassenmöbel oder ein Pool für den Garten: Mit steigenden Temperaturen, nimmt der Bedarf nach diesen Produkten zu. Natürlich lassen da auch BetrügerInnen nicht lange auf sich warten und locken mit günstigen Angeboten für die Grill- und Gartensaison. Wir zeigen Ihnen, wo Sie lieber nicht shoppen sollten! --------------------------------------------- https://www.watchlist-internet.at/news/grill-und-gartensaison-eroeffnet-bet… ∗∗∗ New Moriya rootkit stealthily backdoors Windows systems ∗∗∗ --------------------------------------------- Unknown attackers may have been quietly exploiting networks in attacks reaching back to 2018. --------------------------------------------- https://www.zdnet.com/article/new-moriya-rootkit-stealthily-backdoors-windo… ∗∗∗ LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks. SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error-prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. --------------------------------------------- https://www.darknet.org.uk/2021/05/libinjection-detect-sql-injection-sqli-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and unbound1.9), Fedora (djvulibre and samba), Mageia (ceph, messagelib, and pagure), openSUSE (alpine and exim), Oracle (kernel and postgresql), Scientific Linux (postgresql), and Ubuntu (thunderbird and unbound). --------------------------------------------- https://lwn.net/Articles/855744/ ∗∗∗ SYSS-2021-024: XSS-SCHWACHSTELLE IM PRODUKT ADISCON LOGANALYZER (CVE-2021-31738) ∗∗∗ --------------------------------------------- Die Loginmaske des Adiscon LogAnalyzer war anfällig für eine Reflected XSS-Schwachstelle. Der Hersteller hat diese bereits mit einem Patch behoben. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-024-xss-schwachstelle-im-produkt… ∗∗∗ ABB Cybersecurity Advisory - AC 800PEC platform NAME:WRECK vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A1892&Lan… ∗∗∗ ABB Cybersecurity Advisory - Cassia Access Controller for ABB ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108368&Language… ∗∗∗ Security Advisory - Out-of-Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2021-3177 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for Interac e-Transfers for Red Hat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for Digital Payments for RedHat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Information disclosure vulnerability may affect IBM Robotic Process Automation Anywher – CVE-2020-4901 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2021
by Daily end-of-shift report 06 May '21

06 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-05-2021 18:00 − Donnerstag 06-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RotaJakiro, the Linux version of the OceanLotus ∗∗∗ --------------------------------------------- On Apr 28, we published our RotaJakiro backdoor blog, at that time, we didn’t have the answer for a very important question, what is this backdoor exactly for? We asked the community for clues and two days ago we got a hint, PE(Thanks!) wrote the following comment on --------------------------------------------- https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/ ∗∗∗ Alternative Ways To Perform Basic Tasks, (Thu, May 6th) ∗∗∗ --------------------------------------------- I like to spot techniques used by malware developers to perform basic tasks. We know the lolbins[1] that are pre-installed tools used to perform malicious activities. Many lolbins are used, for example, to download some content from the Internet. Some tools are so powerful that they can also be used to perform unexpected tasks. --------------------------------------------- https://isc.sans.edu/diary/rss/27392 ∗∗∗ Strong, Secure Passwords Are Key to Helping Reduce Risk to Your Organization ∗∗∗ --------------------------------------------- Blog post on how to create strong, secure passwords to reduce risk to your organization. --------------------------------------------- https://www.sans.org/blog/strong-secure-passwords-are-key-to-helping-reduce… ∗∗∗ BSI veröffentlicht Whitepaper zum aktuellen Stand der Prüfbarkeit von KI-Systemen ∗∗∗ --------------------------------------------- Basierend auf einem vom BSI, vom Verband der TÜVs und vom Fraunhofer HHI ausgetragenen internationalen Expertenworkshop wurde ein Whitepaper zum aktuellen Stand, offenen Fragen und zukünftig wichtigen Aktivitäten bezüglich der Prüfbarkeit von KI-Systemen verfasst. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ TrickBot: Get to Know the Malware That Refuses to Be Killed ∗∗∗ --------------------------------------------- Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/trickbot/ ∗∗∗ Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software ∗∗∗ --------------------------------------------- The incident started with a student who didnt want to pay for a license and ended with the loss of research. --------------------------------------------- https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-researc… ∗∗∗ CISA Releases Analysis Reports on New FiveHands Ransomware ∗∗∗ --------------------------------------------- CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization. CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/06/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN: Angreifer könnten Admin-Accounts erstellen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Cisco. --------------------------------------------- https://heise.de/-6038258 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-django), Fedora (java-latest-openjdk, libopenmpt, python-yara, skopeo, thunderbird, and yara), openSUSE (ceph and openexr), Red Hat (postgresql), SUSE (libxml2), and Ubuntu (exim4 and gnome-autoar). --------------------------------------------- https://lwn.net/Articles/855613/ ∗∗∗ Android users’ privacy at risk as Check Point Research identifies vulnerability on Qualcomm’s mobile station modems ∗∗∗ --------------------------------------------- Check Point Research (CPR) found a security vulnerability in Qualcomm’s mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world’s phones. If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them [...] --------------------------------------------- https://blog.checkpoint.com/2021/05/06/android-users-privacy-at-risk-as-che… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in FusionCompute Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506… ∗∗∗ Ruby on Rails: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0480 ∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0481 ∗∗∗ VMware vRealize Operations: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0489 ∗∗∗ ZDI-21-523: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-523/ ∗∗∗ ZDI-21-522: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-522/ ∗∗∗ ZDI-21-521: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-521/ ∗∗∗ ZDI-21-520: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-520/ ∗∗∗ Security Bulletin: Vulnerability in Fabric OS used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fabric-o… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8265) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java affecting IBM Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2021
by Daily end-of-shift report 05 May '21

05 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-05-2021 18:00 − Mittwoch 05-05-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Quick and dirty Python: masscan, (Tue, May 4th) ∗∗∗ --------------------------------------------- The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable. --------------------------------------------- https://isc.sans.edu/diary/rss/27384 ∗∗∗ Introducing Baserunner: a tool for exploring and exploiting Firebase datastores ∗∗∗ --------------------------------------------- In this post well be looking at some risks posed by Firebase, a popular serverless application platform. --------------------------------------------- https://iosiro.com/blog/baserunner-exploiting-firebase-datastores ∗∗∗ How Attackers Use Compromised Accounts to Create and Distribute Malicious OAuth Apps ∗∗∗ --------------------------------------------- Open authorization or “OAuth” apps add business features and user-interface enhancements to major cloud platforms such as Microsoft 365 and Google Workspace. Unfortunately, they’re also a new threat vector [...] --------------------------------------------- https://www.proofpoint.com/us/blog/email-and-cloud-threats/how-attackers-us… ∗∗∗ How to Stop the Popups ∗∗∗ --------------------------------------------- McAfee is tracking an increase in the use of deceptive popups that mislead some users into taking action, while annoying many others. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-to-stop-the-popups/ ∗∗∗ Tour de Peloton: Exposed user data ∗∗∗ --------------------------------------------- An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. --------------------------------------------- https://www.pentestpartners.com/security-blog/tour-de-peloton-exposed-user-… ∗∗∗ Wunderheilmittel Entgiftungspflaster? Vorsicht bei Bestellungen auf nuubu.com! ∗∗∗ --------------------------------------------- Die körperliche und psychische Gesundheit mit Hilfe eines Entgiftungspflasters steigern? Das verspricht die litauische Firma „UAB Ekomlita“, die die Webseite nuubu.com betreibt. Wir raten jedoch zu Vorsicht: Rechtliche Vorgaben werden nicht eingehalten. --------------------------------------------- https://www.watchlist-internet.at/news/wunderheilmittel-entgiftungspflaster… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Root-Lücken bedrohen Exim-Mail-Server ∗∗∗ --------------------------------------------- Bei einer Untersuchung des Codes von Exim sind Sicherheitsforscher auf 21 Sicherheitslücken gestoßen. Angreifer könnten ganze Server übernehmen. --------------------------------------------- https://heise.de/-6036724 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cgal, exim4, and mediawiki), Fedora (axel, libmicrohttpd, libtpms, perl-Image-ExifTool, pngcheck, python-yara, and yara), Gentoo (exim), Mageia (kernel-linus), openSUSE (bind and postsrsd), SUSE (avahi, openexr, p7zip, python-Pygments, python36, samba, sca-patterns-sle11, and webkit2gtk3), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450, nvidia-graphics-drivers-450-server,[...] --------------------------------------------- https://lwn.net/Articles/855462/ ∗∗∗ Advantech WISE-PaaS RMM ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Advantech WISE-PaaS RMM, a software platform focused on IoT device remote monitoring and management. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-124-01 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in Delta Electronics CNCSoft ScreenEditor software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-124-02 ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to insecure inter-deployment communication (CVE-2020-4979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Issues in IBM® Java™ SDK Technology Edition affects IBM Security Identity Manager Virtual Appliance (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-issues-in-ibm-java-sdk-te… ∗∗∗ Security Bulletin: IBM QRadar SIEM contains hard-coded credentials (CVE-2021-20401, CVE-2020-4932) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-contains-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting (XSS) (CVE-2020-4929) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache httpclient ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to path traversal (CVE-2020-4993) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM may be vulnerable to a XML External Entity Injection attack (XXE) (CVE-2020-5013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-may-be-vu… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Cross domain information disclosure (CVE-2020-4883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Apache Tomcat as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2020-13943) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-as-used-by-… ∗∗∗ CVE-2021-26900: Privilege Escalation Via a Use After Free Vulnerability In win32k ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-vi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2021
by Daily end-of-shift report 04 May '21

04 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 03-05-2021 18:00 − Dienstag 04-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webkit: Apple warnt vor Zero Days in iOS und MacOS ∗∗∗ --------------------------------------------- Die Apple-Lücken in Webkit werden wohl bereits aktiv ausgenutzt. Das Unternehmen stellt Updates bereit. --------------------------------------------- https://www.golem.de/news/webkit-apple-warnt-vor-zero-days-in-ios-2105-1562… ∗∗∗ 21Nails vulnerabilities impact 60% of the internet’s email servers ∗∗∗ --------------------------------------------- The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. --------------------------------------------- https://therecord.media/21nails-vulnerabilities-impact-60-of-the-internets-… ∗∗∗ Pingback: Backdoor At The End Of The ICMP Tunnel ∗∗∗ --------------------------------------------- In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at… ∗∗∗ RM3 - Curiosities of the wildest banking malware ∗∗∗ --------------------------------------------- TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis [...] --------------------------------------------- https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-m… ∗∗∗ Firebase Domain Front - Hiding C2 as App traffic ∗∗∗ --------------------------------------------- We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters --------------------------------------------- https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding… ∗∗∗ Jetzt patchen! Sicherheitsupdate für Pulse Connect Secure verfügbar ∗∗∗ --------------------------------------------- In einer aktualisierten Version der VPN-Software Pulse Connect Secure von Ivanti haben die Entwickler kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-6035501 ∗∗∗ ATT&CK v9 Introduces Containers, Google Workspace ∗∗∗ --------------------------------------------- MITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform. --------------------------------------------- https://www.securityweek.com/attck-v9-introduces-containers-google-workspace ∗∗∗ Anzügliche Sex-Nachrichten auf Facebook & Instagram: Dahinter steckt Betrug ∗∗∗ --------------------------------------------- Facebook- und Instagram-NutzerInnen kennen es: Freundschaftsanfragen oder Nachrichten von unbekannten, meist freizügig gekleideten Frauen. Auf Instagram werden NutzerInnen auch sehr häufig zu fragwürdigen Gruppen hinzugefügt oder von Unbekannten auf Bildern markiert. Dahinter stecken Fake-Profile oder Bots, die auf unseriöse Dating-Portale locken, Daten sammeln oder nach Zugangsdaten fischen. --------------------------------------------- https://www.watchlist-internet.at/news/anzuegliche-sex-nachrichten-auf-face… ∗∗∗ Three new malware families found in global finance phishing campaign ∗∗∗ --------------------------------------------- Doubledrag, Doubledrop, and Doubleback are the work of “experienced” threat actors. --------------------------------------------- https://www.zdnet.com/article/researchers-find-three-new-malware-families-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Aktiv ausgenutzte Lücken: Apple patcht iOS, macOS und watchOS ∗∗∗ --------------------------------------------- macOS 11.3.1, iOS 14.5.1 und watchOS 7.4.1 beheben ein akutes Sicherheitsproblem in Safari. Außerdem wird ein Bug beim iPhone-App-Tracking-Schutz gefixt. --------------------------------------------- https://heise.de/-6035220 ∗∗∗ Android-Patchday: Kritische System-Lücke gibt Angreifern die volle Kontrolle ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. --------------------------------------------- https://heise.de/-6035560 ∗∗∗ Xen Security Advisory CVE-2021-28689 / XSA-370 - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests ∗∗∗ --------------------------------------------- A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack against Xen, despite the presence hardware protections being active. It therefore might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-370.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba). --------------------------------------------- https://lwn.net/Articles/855308/ ∗∗∗ High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices ∗∗∗ --------------------------------------------- Owners of Dell devices were informed on Tuesday that a firmware update driver present on a large number of systems is affected by a series of high-severity vulnerabilities. --------------------------------------------- https://www.securityweek.com/high-severity-dell-driver-vulnerabilities-impa… ∗∗∗ Synology-SA-21:18 Hyper Backup ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Hyper Backup. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_18 ∗∗∗ Security Bulletin: Go is vulnerable to a denial of service on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-a-den… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with segmentation fault on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: GO is vulnerable to allows attacks on clients on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-allow… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: A vulnerability exists in the management GUI of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: TensorFlow is vulnerable to a heap-based buffer overflow on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-is-vulnerable-… ∗∗∗ Security Bulletin: GO security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-security-vulnerabiliti… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3049, CVE-2021-3050) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2021
by Daily end-of-shift report 03 May '21

03 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-04-2021 18:00 − Montag 03-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Babuk quits ransomware encryption, focuses on data-theft extortion ∗∗∗ --------------------------------------------- A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encry… ∗∗∗ Hacker-Wettbewerb Austria Cyber Security Challenge gestartet ∗∗∗ --------------------------------------------- Der IT-Security-Wettbewerb für Schüler*innen, Studierende und Interessierte feiert heuer sein 10-jähriges Jubiläum. --------------------------------------------- https://futurezone.at/digital-life/hacker-wettbewerb-austria-cyber-security… ∗∗∗ New Buer Malware Downloader Rewritten in E-Z Rust Language ∗∗∗ --------------------------------------------- Its coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground. --------------------------------------------- https://threatpost.com/buer-malware-loader-rewritten-rust/165782/ ∗∗∗ PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd) ∗∗∗ --------------------------------------------- Many SSH clients can remember SSH servers' fingerprints. This can serve as a safety mechanism: you get a warning when the server you want to connect to, has no longer the same fingerprint. And then you can decide what to do: continue with the connection, or stop and try to figure out what is going on. --------------------------------------------- https://isc.sans.edu/diary/rss/27376 ∗∗∗ Sicherheitslücke Spectre lebt neu auf: AMD- und Intel-Prozessoren betroffen ∗∗∗ --------------------------------------------- Ein neuer Seitenkanalangriff zielt auf die Micro-Op-Caches aller modernen CPUs von AMD und Intel ab, Ryzen 5000 und Rocket Lake-S eingeschlossen. --------------------------------------------- https://heise.de/-6034264 ∗∗∗ Windows 10: BSI stellt Sicherheitseinstellungen zur Verfügung ∗∗∗ --------------------------------------------- Das BSI hat im Rahmen der „Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10“ (SiSyPHuS Win10) Handlungsempfehlungen zur Absicherung der Windows-Systeme in deutscher und englischer Sprache veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Tesla Car Hacked Remotely From Drone via Zero-Click Exploit ∗∗∗ --------------------------------------------- Two researchers have shown how a Tesla - and possibly other cars - can be hacked remotely without any user interaction. They carried out the attack from a drone. --------------------------------------------- https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exp… ∗∗∗ Trickbot Brief: Creds and Beacons ∗∗∗ --------------------------------------------- “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal [...] --------------------------------------------- https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/ ∗∗∗ Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack ∗∗∗ --------------------------------------------- Swiss Cloud, a Switzerland-based cloud hosting provider, has suffered this week a ransomware attack that brought the companys server infrastructure to its knees. --------------------------------------------- https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider… ===================== = Vulnerabilities = ===================== ∗∗∗ Pulse Secure fixes VPN zero-day used to hack high-value targets ∗∗∗ --------------------------------------------- Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and govt agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-… ∗∗∗ 8 geben: Python-Standard-Library ignoriert das Oktalystem in IP-Adressen ∗∗∗ --------------------------------------------- Die Library ipaddress prüft IP-Adressen seit 2019 nicht mehr auf führende Nullen. Ein Patch ist in Sicht, aber noch nicht veröffentlicht. --------------------------------------------- https://heise.de/-6034508 ∗∗∗ SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin ∗∗∗ --------------------------------------------- On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all [...] --------------------------------------------- https://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, GNOME, java-1.8.0-openjdk, java-11-openjdk, nss and nspr, xstream, and xterm), Debian (bind9 and libimage-exiftool-perl), Fedora (ansible, babel, java-11-openjdk, and java-latest-openjdk), Gentoo (chromium, clamav, firefox, git, grub, python, thunderbird, tiff, webkit-gtk, and xorg-server), Mageia (kernel, nvidia-current, nvidia390, qtbase5, and sdl2), openSUSE (Chromium, cifs-utils, cups, giflib, gsoap, libnettle, librsvg, netdata, postsrsd, [...] --------------------------------------------- https://lwn.net/Articles/855217/ ∗∗∗ Synology-SA-21:16 ISC BIND ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology DNS Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_16 ∗∗∗ Synology-SA-21:17 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_17 ∗∗∗ Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php ∗∗∗ Epic Games Psyonix Rocket League v1.95 Insecure Permissions ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5650.php ∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2021
by Daily end-of-shift report 30 Apr '21

30 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-04-2021 18:00 − Freitag 30-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap-NAS mit veralteter Firmware fallen AgeLocker-Ransomware zum Opfer ∗∗∗ --------------------------------------------- Erneut hat es ein Verschlüsselungstrojaner auf Netzwerkspeicher (NAS) von Qnap abgesehen. --------------------------------------------- https://heise.de/-6032831 ∗∗∗ Anlagebetrug: Alexander Van der Bellen wirbt nicht für Bitcoin-Investments! ∗∗∗ --------------------------------------------- Immer wieder berichten wir davon, dass Promis ungerechtfertigt genutzt werden, um unseriöse Trading-Plattformen zu bewerben. Aktuell haben es die Kriminellen auf den österreichischen Bundespräsidenten Alexander Van der Bellen abgesehen. Dieser soll erfundenen Berichten zu Folge unseriöse Plattformen wie „Bitcoin Era“, „Bitcoin Prime“ oder „Crypto Revolt“ nutzen, um zusätzliches Geld zu verdienen. Glauben Sie diesen Berichten nicht. --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-alexander-van-der-belle… ∗∗∗ Codecov begins notifying affected customers, discloses IOCs ∗∗∗ --------------------------------------------- Codecov has now started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-begins-notifying-aff… ∗∗∗ DomainTools And Digital Archeology: A Look At RotaJakiro ∗∗∗ --------------------------------------------- Gain additional insight into the malware dubbed RotaJakiro by Netlab with analysis by Chad Anderson on additional infrastructure unearthed including IP addresses, C2 domains, and more. --------------------------------------------- https://www.domaintools.com/resources/blog/domaintools-and-digital-archeolo… ∗∗∗ Babuk Ransomware Gang Mulls Retirement ∗∗∗ --------------------------------------------- The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that theyll be open-sourcing their data encryption malware for other crooks to use. --------------------------------------------- https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/ ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the Security Baseline Community or this post. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th) ∗∗∗ --------------------------------------------- A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challeng…. --------------------------------------------- https://isc.sans.edu/diary/rss/27372 ∗∗∗ How to Find & Fix Mixed Content Issues with SSL / HTTPS ∗∗∗ --------------------------------------------- Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let’s look at these common errors, what causes them, and how [...] --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-find-fix-mixed-content-issues-with-s… ∗∗∗ UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat ∗∗∗ --------------------------------------------- Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fi… ∗∗∗ IoT riddled with BadAlloc vulnerabilities ∗∗∗ --------------------------------------------- A set of memory allocation vulnerabilities, dubbed BadAlloc, has been found in a massive number of IoT and OT devices. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/iot-riddled-with-badalloc-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke verrät Standorte von Elektro-Zweirädern und Telefonnummern ∗∗∗ --------------------------------------------- Die API des Zweiradherstellers Supersoco hat eine schwere Sicherheitslücke, aber weder der Hersteller noch der D/AT-Importeur kümmern sich. --------------------------------------------- https://heise.de/-6032820 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, firefox, gitlab, libupnp, nimble, opera, thunderbird, virtualbox, and vivaldi), Debian (composer, edk2, and libhibernate3-java), Fedora (java-1.8.0-openjdk, jetty, and samba), openSUSE (nim), Oracle (bind and runc), Red Hat (bind), SUSE (cifs-utils, cups, ldb, samba, permissions, samba, and tomcat), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/855029/ ∗∗∗ Texas Instruments SimpleLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow and Integer Overflow or Wraparound vulnerabilities in Texas Instruments SimpleLink wireless microcontrollers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-01 ∗∗∗ Cassia Networks Access Controller ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Path Traversal vulnerability in Cassia Networks Access Controller Bluetooth network management tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-02 ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in the Ubunty operating system of Exacq Technologies exacqVision. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-03 ∗∗∗ Multiple RTOS ∗∗∗ --------------------------------------------- CISA is aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. This advisory contains mitigations for Integer Overflow or Wraparound vulnerabilities associated with this "BadAlloc" report. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities ∗∗∗ --------------------------------------------- BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-017743.html ∗∗∗ FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline ∗∗∗ --------------------------------------------- BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-428397.html ∗∗∗ Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities ∗∗∗ --------------------------------------------- Parallels Desktop implements a hypercall interface using an RDPMC instruction (“Read Performance-Monitoring Counter”) for communication between guest and host. More interestingly, this interface is accessible even to an unprivileged guest user. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [PDF] paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. This blog post gives a brief description of the interface and [...] --------------------------------------------- https://www.thezdi.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-int… ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0462 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a Server-Side Request Forgery vulnerability (CVE-2020-28168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Images built from IBM App Connect Enterprise Certified Container images may be vulnerable to information exposure via CVE-2020-15095 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-images-built-from-ibm-app… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: z/TPF is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-o… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container flows may be vulnerable to spoofing attacks (CVE-2020-26291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring components may be vulnerable to a denial of service attack (CVE-2020-28477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2021
by Daily end-of-shift report 29 Apr '21

29 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-04-2021 18:00 − Donnerstag 29-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Google: Androids Corona-Kontaktverfolgung leakt Daten ∗∗∗ --------------------------------------------- Eigentlich sollte nur das Exposure Notification Framework auf die gesammelten Kontakte zugreifen können, doch Android schreibt sie in ein Log. --------------------------------------------- https://www.golem.de/news/corona-warn-app-androids-corona-kontaktverfolgung… ∗∗∗ Threat Alert: New update from Sysrv-hello, now infecting victims‘ webpages to push malicious exe to end users ∗∗∗ --------------------------------------------- >From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has recently reported about the [rinfo][z0miner]. And the latest case comes from Sysrv-hello [...] --------------------------------------------- https://blog.netlab.360.com/threat-alert-new-update-from-sysrv-hello-now-in… ∗∗∗ Announcing the New Report Delta Mode Option ∗∗∗ --------------------------------------------- A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the [...] --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-report-delta-mode-opti… ∗∗∗ Digital Ocean springs a leak: Miscreant exploits hole to peep on unlucky customers billing details for two weeks ∗∗∗ --------------------------------------------- First that IPO and now this Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers billing information via a now-patched vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/04/29/digital_ocea… ∗∗∗ [SANS ISC] From Python to .Net ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/29/sans-isc-from-python-to-net/ ∗∗∗ Task Force Seeks to Disrupt Ransomware Payments ∗∗∗ --------------------------------------------- Some of the worlds top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. --------------------------------------------- https://krebsonsecurity.com/2021/04/task-force-seeks-to-disrupt-ransomware-… ∗∗∗ Bitcoin scammers phish for wallet recovery codes on Twitter ∗∗∗ --------------------------------------------- Cryptocurrency scammers are on the prowl for wallet recovery phrases, under the pretence of trying to be helpful. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/bitcoin-scammers-p… ∗∗∗ Anatomy of how you get pwned ∗∗∗ --------------------------------------------- Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from? In this blogpost, I follow this rabbit hole on down. It starts with "search engine optimization" links and leads to an entire industry of tricks, scams, exploiting popups, trying to infect your machine with viruses, and stealing emails or credit card numbers. --------------------------------------------- https://blog.erratasec.com/2021/04/anatomy-of-how-you-get-pwned.html ∗∗∗ Betrügerische Kleinanzeigen auf hyperanzeigen.at ∗∗∗ --------------------------------------------- Immer wieder erreichen die Watchlist Internet Meldungen zu unseriösen Angeboten auf hyperanzeigen.at. Ein genauerer Blick auf die Plattform selbst lässt aber auch Zweifel an deren Seriosität aufkommen. Bei einer Überprüfung von 15 Anzeigen aus unterschiedlichen Kategorien konnten wir keine einzige echte finden. Weiters fehlen Kontaktmöglichkeiten und ein Impressum. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kleinanzeigen-auf-hyp… ∗∗∗ New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl) ∗∗∗ --------------------------------------------- We analyze commodity malware WeSteal, detail its techniques and examine its customers, as well as sharing details of a newly observed RAT, WeControl. --------------------------------------------- https://unit42.paloaltonetworks.com/westeal/ ===================== = Vulnerabilities = ===================== ∗∗∗ A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks ∗∗∗ --------------------------------------------- The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was [...] --------------------------------------------- https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Overview of F5 vulnerabilities (April 2021) ∗∗∗ --------------------------------------------- Overview of F5 vulnerabilities (April 2021) Security Advisory Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as [...] --------------------------------------------- https://support.f5.com/csp/article/K96639388 ∗∗∗ Vulnerability Exposes F5 BIG-IP to Kerberos KDC Hijacking Attacks ∗∗∗ --------------------------------------------- F5 Networks this week released patches to address an authentication bypass vulnerability affecting BIG-IP Access Policy Manager (APM), but fixes are not available for all impacted versions. --------------------------------------------- https://www.securityweek.com/vulnerability-exposes-f5-big-ip-kerberos-kdc-h… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ceph, jetty, kernel, kernel-headers, kernel-tools, openvpn, and shim-unsigned-x64), Mageia (firefox and thunderbird), Oracle (nss and openldap), Red Hat (bind), Slackware (bind), SUSE (firefox, giflib, java-1_7_0-openjdk, libnettle, librsvg, thunderbird, and webkit2gtk3), and Ubuntu (bind9 and gst-plugins-good1.0). --------------------------------------------- https://lwn.net/Articles/854880/ ∗∗∗ ZDI-21-490: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-490/ ∗∗∗ ZDI-21-489: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-489/ ∗∗∗ ZDI-21-488: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-488/ ∗∗∗ ZDI-21-487: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-487/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cookie forgery via PHP (CVE-2020-7070) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0452 ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0451 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0459 ∗∗∗ PHP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0458 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2021
by Daily end-of-shift report 28 Apr '21

28 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-04-2021 18:00 − Mittwoch 28-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Juristische Konsequenzen durch den Cellebrite-Hack ∗∗∗ --------------------------------------------- Urteile, in denen die Forensiksoftware zur Beweissicherung verwendet wurde, werden nach Aufdeckung der schweren Sicherheitslücken in Frage gestellt. --------------------------------------------- https://www.golem.de/news/security-juristische-konsequenzen-durch-den-celle… ∗∗∗ RotaJakiro: A long live secret backdoor with 0 VT detection ∗∗∗ --------------------------------------------- On March 25, 2021, 360 NETLABs BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. --------------------------------------------- https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ∗∗∗ Abusing Replication: Stealing AD FS Secrets Over the Network ∗∗∗ --------------------------------------------- Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-st… ∗∗∗ Emotet: Gut 4 Millionen kopierter Mail-Adressen bei Prüfdienst Have I Been Pwned ∗∗∗ --------------------------------------------- Um Betroffene besser informieren zu können, hat das FBI über vier Mio. E-Mail-Adressen, die der Ex-"König der Schadsoftware" Emotet abgriff, mit HIBP geteilt. --------------------------------------------- https://heise.de/-6030480 ∗∗∗ User Empowerment: Password Security ∗∗∗ --------------------------------------------- World Password Day (who knew that was a thing?) is upon us. --------------------------------------------- https://malicious.link/post/2021/user-empowerment-password-security/ ∗∗∗ Österreichische Gesundheitskasse warnt vor betrügerischen Anrufen ∗∗∗ --------------------------------------------- Versicherte der Österreichischen Gesundheitskasse (ÖGK) werden derzeit von BetrügerInnen angerufen. Die BetrügerInnen geben sich als MitarbeiterInnen der ÖGK aus und rufen von einer vermeintlich österreichischen Nummer an. --------------------------------------------- https://www.watchlist-internet.at/news/oesterreichische-gesundheitskasse-wa… ∗∗∗ Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle ∗∗∗ --------------------------------------------- It has been suspected that exploit code used in the wave of attacks may have been sourced from the program. --------------------------------------------- https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing… ∗∗∗ Two million database servers are currently exposed across cloud providers ∗∗∗ --------------------------------------------- Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs. --------------------------------------------- https://therecord.media/two-million-database-servers-are-currently-exposed-… ∗∗∗ Ransomware gang targets Microsoft SharePoint servers ∗∗∗ --------------------------------------------- Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs. --------------------------------------------- https://therecord.media/ransomware-gang-targets-microsoft-sharepoint-server… ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode-Lücke in IBM Spectrum Protect gefährdet Server ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBMs Datenschutzlösung Spectrum Protect und Spectrum Protect Plus. --------------------------------------------- https://heise.de/-6030379 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and shibboleth-sp), Fedora (ceph and salt), Oracle (thunderbird), Red Hat (etcd), Scientific Linux (nss and openldap), SUSE (curl, gdm, and libnettle), and Ubuntu (openjdk-8, openjdk-lts and underscore). --------------------------------------------- https://lwn.net/Articles/854756/ ∗∗∗ Synology-SA-21:15 Antivirus Essential ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_15 ∗∗∗ WordPress plugin "WP Fastest Cache" vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35240327/ ∗∗∗ ZDI-21-485: (0Day) Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-485/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-16044) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a directory traversal vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-26974) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23978) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04234247 ∗∗∗ TMM vulnerability CVE-2021-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10751325 ∗∗∗ BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91414704 ∗∗∗ Running a CTU Diagnostics Report may leave elevated command prompt after report generation ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03544414 ∗∗∗ TMM with HTTP/2 vulnerability (CVE-2021-23009) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K90603426 ∗∗∗ BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18570111 ∗∗∗ BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23203045 ∗∗∗ BIG-IP APM AD authentication vulnerability CVE-2021-23008 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51213246 ∗∗∗ Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74151369 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2021
by Daily end-of-shift report 27 Apr '21

27 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-04-2021 18:00 − Dienstag 27-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 15 open source GitHub projects for security pros ∗∗∗ --------------------------------------------- Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages. --------------------------------------------- https://www.csoonline.com/article/3058594/19-open-source-github-projects-fo… ∗∗∗ CAD: .DGN and .MVBA Files, (Mon, Apr 26th) ∗∗∗ --------------------------------------------- Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/27354 ∗∗∗ Aggrokatz: pypykatz trifft Cobalt Strike ∗∗∗ --------------------------------------------- Das Tool "aggrokatz", welches von SEC Consult intern zum Parsen von LSASS-Dump-Dateien in Cobalt Strike eingesetzt wird, wurde soeben als Open Source Tool veröffentlicht! --------------------------------------------- https://sec-consult.com/de/blog/detail/aggrokatz-pypykatz-trifft-cobalt-str… ∗∗∗ The March/April 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Exploit on Exchange --------------------------------------------- https://securityblog.switch.ch/2021/04/27/the-march-april-2021-issue-of-our… ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in the Linux Kernel ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html ∗∗∗ Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU ∗∗∗ --------------------------------------------- Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the worlds most dangerous malware: Emotet. --------------------------------------------- https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-… ∗∗∗ WhatsApp-NutzerInnen aufgepasst: Kriminelle versuchen Ihr WhatsApp-Konto zu stehlen ∗∗∗ --------------------------------------------- Sie wurden auf WhatsApp gebeten, einen 6-stelligen-Code weiterzuleiten? Tun Sie das auf gar keinen Fall, dieser Code ist der Schlüssel zu Ihrem WhatsApp-Account. Kriminelle versuchen Sie mit unterschiedlichsten Begründungen zu überzeugen, diesen weiterzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nutzerinnen-aufgepasst-krim… ∗∗∗ CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks ∗∗∗ --------------------------------------------- A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/cisa-and-nist-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ All Your Macs Are Belong To Us ∗∗∗ --------------------------------------------- Here, we detail a bug that trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk! --------------------------------------------- https://objective-see.com/blog/blog_0x64.html ∗∗∗ Citrix ShareFile storage zones controller security update ∗∗∗ --------------------------------------------- A security issue has been identified in the Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. --------------------------------------------- https://support.citrix.com/article/CTX310780 ∗∗∗ Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin ∗∗∗ --------------------------------------------- On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, and gst-plugins-ugly1.0), Fedora (kernel, kernel-headers, kernel-tools, and rust), openSUSE (firefox), Oracle (firefox, mariadb:10.3 and mariadb-devel:10.3, thunderbird, and xstream), Red Hat (kernel, kernel-alt, kpatch-patch, nss, and openldap), Scientific Linux (firefox, thunderbird, and xstream), SUSE (firefox), and Ubuntu (file-roller, firefox, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/854623/ ∗∗∗ NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability ∗∗∗ --------------------------------------------- A newly identified NTLM (New Technology LAN Manager) relay attack abuses a remote procedure call (RPC) vulnerability to enable elevation of privilege, researchers from cybersecurity firm SentinelOne reveal. --------------------------------------------- https://www.securityweek.com/ntlm-relay-attack-abuses-windows-rpc-protocol-… ∗∗∗ Apple Security Updates 2021-04-26 ∗∗∗ --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Buffer Overflow Vulnerability in IBM SDK Affects IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to weak file permissions allowing access to specific files (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Nvidia Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0440 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0447 ∗∗∗ TYPO3 Extension: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0449 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/27/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2021
by Daily end-of-shift report 26 Apr '21

26 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-04-2021 18:00 − Montag 26-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap: NAS-Ransomware erpresst in wenigen Tagen 230.000 Euro ∗∗∗ --------------------------------------------- Mit einer trivialen Sicherheitslücke konnte die Ransomware Qlocker binnen weniger Tage Tausende Euro von Qnap-NAS-Besitzern erpressen. --------------------------------------------- https://www.golem.de/news/qnap-nas-ransomware-erpresst-in-wenigen-tagen-230… ∗∗∗ Passwordstate: Passwort-Manager von Click Studios gehackt ∗∗∗ --------------------------------------------- Angreifern ist die Kompromittierung einer Upgrade-Funktion von Click Studios gelungen. Nutzer von Passwordstate sollen ihre Passwörter zurücksetzen. --------------------------------------------- https://heise.de/-6027188 ∗∗∗ "Tschüss Emotet": Malware deinstalliert sich selbst ∗∗∗ --------------------------------------------- Der "König der Schad-Software" machte still und leise einen Abgang. --------------------------------------------- https://heise.de/-6028392 ∗∗∗ Unsecured Kubernetes Instances Could Be Vulnerable to Exploitation ∗∗∗ --------------------------------------------- We discuss how malware and malicious activities can occur in unsecured Kubernetes instances and how better configuration can help. --------------------------------------------- https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/ ∗∗∗ This password-stealing Android malware is spreading quickly: Heres what to watch out for ∗∗∗ --------------------------------------------- FluBot is designed to steal personal information including bank details - and infected users are being exploited to spread the malware to their contacts. --------------------------------------------- https://www.zdnet.com/article/this-password-stealing-android-malware-is-spr… ∗∗∗ Hacking campaign targets FileZen file-sharing network appliances ∗∗∗ --------------------------------------------- Threat actors are using two vulnerabilities in a popular file-sharing server to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Ministers Cabinet Office. --------------------------------------------- https://therecord.media/hacking-campaign-targets-filezen-file-sharing-netwo… ∗∗∗ Fake Microsoft DirectX 12 site pushes crypto-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-si… ∗∗∗ Base64 Hashes Used in Web Scanning, (Sat, Apr 24th) ∗∗∗ --------------------------------------------- I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years. --------------------------------------------- https://isc.sans.edu/diary/rss/27346 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux ∗∗∗ --------------------------------------------- A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a [...] --------------------------------------------- https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html ∗∗∗ SSD Advisory – Hongdian H8922 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- The H8922 “4G industrial router is based on 3G/4G wireless network and adopts a high-performance 32-bit embedded operating system with full industrial design. It supports wired and wireless network backup, and its high reliability and convenient networking make it suitable for large-scale distributed industrial applications. Such as smart lockers, charging piles, bank ATM machines, tower monitoring, electricity, water conservancy, environmental protection”. Several vulnerabilities in the H8922 device allow remote attackers to cause the device to execute arbitrary commands with root privileges due to the fact that user provided data is not properly filtered as well as a backdoor account allows access via port 5188/tcp. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabili… ∗∗∗ [PDF] Beckhoff Security Advisory 2021-001: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server ∗∗∗ --------------------------------------------- Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ Erneut Sicherheitslücke bei Corona-Schnelltests ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in einer Schnelltest-Software konnten Unbefugte auf sensible Informationen zugreifen. Die Lücke ist mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6027394 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, jackson-databind, libspring-java, opendmarc, openjdk-11, and pjproject), Fedora (buildah, containers-common, crun, firefox, java-11-openjdk, nextcloud-client, openvpn, podman, python3-docs, python3.9, runc, and xorg-x11-server), Mageia (connman, krb5-appl, and virtualbox), openSUSE (apache-commons-io, ImageMagick, jhead, libdwarf, nim, [...] --------------------------------------------- https://lwn.net/Articles/854504/ ∗∗∗ MB connect line: multiple products partially affected by DNSspooq ∗∗∗ --------------------------------------------- Multiple flaws have been found in dnsmasq before version 2.83 [...] --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-012 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0436 ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0438 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily