Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 23.04.2021
by Daily end-of-shift report 23 Apr '21

23 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-04-2021 18:00 − Freitag 23-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Malicious PowerPoint Add-On: “Small Is Beautiful” ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malicious PowerPoint Add-On: ‘Small Is Beautiful‘”: Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous [...] --------------------------------------------- https://blog.rootshell.be/2021/04/23/sans-isc-malicious-powerpoint-add-on-s… ∗∗∗ Erpressungstrojaner eCh0raix und Qlocker haben es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Aufgrund von aktuellen Ransomware-Attacken auf Netzwerkspeicher (NAS) von Qnap sollten alle Besitzer die Software auf aktuellem Stand halten. --------------------------------------------- https://heise.de/-6026483 ∗∗∗ Sicherheitsforscher: AirDrop kann Kontaktdaten des iPhone-Besitzers preisgeben ∗∗∗ --------------------------------------------- Telefonnumer und Mail-Adresse sind gehasht, lassen sich von nahen Angreifern aber zurückrechnen, so die Forscher. Apple kenne die Lücke seit zwei Jahren. --------------------------------------------- https://heise.de/-6026661 ∗∗∗ Microsoft ruft an? Legen Sie lieber auf! ∗∗∗ --------------------------------------------- Aktuell häufen sich wieder Anrufe von vermeintlichen Microsoft-MitarbeiterInnen. Dabei handelt es sich um BetrügerInnen, die wahllos Menschen anrufen und von einem Problem mit dem Computer der Opfer sprechen. Die Masche dahinter: Kriminelle wollen sich Zugang zu Ihrem Computer verschaffen und sensible Daten abgreifen. Legen Sie bei solchen Anrufen sofort auf! --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-ruft-an-legen-sie-lieber-a… ∗∗∗ Network Attack Trends: Internet of Threats (November 2020-January 2021) ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Angriff auf Anti-Phishing-Banner in E-Mails ∗∗∗ --------------------------------------------- Bei der Analyse von Warnungen vor Phishing-Mails stellte die SySS erhebliche Mängel fest, die es Angreifenden ermöglichen, solche Banner auszublenden. --------------------------------------------- https://www.syss.de/pentest-blog/angriff-auf-anti-phishing-banner-in-e-mails ∗∗∗ Sysrv: A new crypto-mining botnet is silently growing in the shadows ∗∗∗ --------------------------------------------- If you forget to update or properly secure an internet-connected server or web app, the chances are that a crypto-mining botnet will infect it first, long before any nation-state hacking group. Crypto-mining botnets have been a plague on the internet for the past three years, and despite the space being more than saturated, new botnets are being built and discovered on a re.gular basis, driven mainly by cybercriminals unquenched thirst for easy money. --------------------------------------------- https://therecord.media/sysrv-a-new-crypto-mining-botnet-is-silently-growin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sipwise C5 NGCP CSC CSRF Click2Dial Exploit ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php ∗∗∗ Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities ∗∗∗ --------------------------------------------- Sipwise software platform suffers from multiple authenticated stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php ∗∗∗ BOSCH-SA-918106 - ctrlX Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in operating system libraries and the Linux kernel have been reported which in a worst case scenario could allow an attacker to compromise the system by provoking a crash or the execution of malicious code. The affected functions are not used directly by any Rexroth software component and therefore the risk of an attacker being able to exploit the vulnerability is considered as low. Nevertheless, it cannot be completely ruled out that the functions might be called [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-918106.html ∗∗∗ Security Bulletin: Trend Micro HouseCall for Home Networks Incorrect Permission Assignment Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- Trend Micro has released an updated version of Trend Micro HouseCall for Home Networks which resolve two incorrect permission assignment vulnerabilities that may lead to privilege escalation. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10310 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-8, and wpa), openSUSE (irssi, jhead, opera, and python-django-registration), SUSE (firefox and qemu), and Ubuntu (dnsmasq and shibboleth-sp). --------------------------------------------- https://lwn.net/Articles/854215/ ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Input Validation, and Improper Access Controls vulnerabilities in Horner Automation Cscape control system application programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-01 ∗∗∗ Mitsubishi Electric GOT ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Mitsubishi Electrics GOT human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-02 ∗∗∗ Security Bulletin: Series of vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-series-of-vulnerabilities… ∗∗∗ Security Bulletin: A vulnerability in IBM® Runtime Environments Java™ Technology Edition Versions affects IBM® Db2®. (January 2021 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ru… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-server-vulnerabil… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2017-1000190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2021
by Daily end-of-shift report 22 Apr '21

22 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-04-2021 18:00 − Donnerstag 22-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macher des Signal-Messenger hacken Spionage-Software von Cellebrite ∗∗∗ --------------------------------------------- Die Signal-Entwickler zeigen per Video, wie ein präpariertes iPhone die von Ermittlungsbehörden verwendete Software von Cellebrite aushebelt. --------------------------------------------- https://heise.de/-6024421 ∗∗∗ Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices ∗∗∗ --------------------------------------------- A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-a… ∗∗∗ Attackers can hide external sender email warnings with HTML and CSS ∗∗∗ --------------------------------------------- The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-… ∗∗∗ Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns ∗∗∗ --------------------------------------------- Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims’ machines, new research has found. --------------------------------------------- https://threatpost.com/telegram-toxiceye-malware/165543/ ∗∗∗ Announcing the New Reports API ∗∗∗ --------------------------------------------- We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret. --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-reports-api/ ∗∗∗ All Your Databases Belong To Me! A Blind SQLi Case Study ∗∗∗ --------------------------------------------- The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-da… ∗∗∗ Researchers Find Additional Infrastructure Used By SolarWinds Hackers ∗∗∗ --------------------------------------------- The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, [...] --------------------------------------------- https://thehackernews.com/2021/04/researchers-find-additional.html ∗∗∗ [SANS ISC] How Safe Are Your Docker Images? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “How Safe Are Your Docker Images?“: Today, I don’t know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier’s tools. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov). Let’s mix the attraction for container technologies and this threat, we realize that Docker images are a great way to compromise an organization! --------------------------------------------- https://blog.rootshell.be/2021/04/22/sans-isc-how-safe-are-your-docker-imag… ∗∗∗ PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately ∗∗∗ --------------------------------------------- Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-p… ∗∗∗ Now this botnet is hunting for unpatched Microsoft Exchange servers ∗∗∗ --------------------------------------------- Prometei botnets key goal is cryptojacking - but its powerful capabilities could see it deployed for much more dangerous attacks. --------------------------------------------- https://www.zdnet.com/article/now-this-botnet-is-hunting-for-unpatched-micr… ∗∗∗ CISA Incident Response to SUPERNOVA Malware ∗∗∗ --------------------------------------------- CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-res… ∗∗∗ AirDrop bugs expose Apple users' email addresses, phone numbers ∗∗∗ --------------------------------------------- A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apples AirDrop file transfer feature. --------------------------------------------- https://therecord.media/airdrop-bugs-expose-apple-users-email-addresses-pho… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories zu Cisco SD-WAN vManage Software ∗∗∗ --------------------------------------------- Cisco hat 5 Security Advisories zu Cisco SD-WAN vManage Software veröffentlicht, die alle als "Medium" klassifiziert werden. --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Statische Zugangsdaten gefährden Qnap NAS ∗∗∗ --------------------------------------------- Eine kritische Lücke in HBS 3 Hybrid Backup Sync bringt Netzwerkspeicher (NAS) von Qnap in Gefahr. --------------------------------------------- https://heise.de/-6025271 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/853953/ ∗∗∗ Google rushes out fix for zero‑day vulnerability in Chrome ∗∗∗ --------------------------------------------- The update patches a total of seven security flaws in the desktop versions of the popular web browser --------------------------------------------- https://www.welivesecurity.com/2021/04/21/google-fix-zero-day-vulnerability… ∗∗∗ Drupal: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0432 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0431 ∗∗∗ Stored XSS (veraltete Software-Bibliothek) in BMDWeb 2.0 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-veraltete-… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2021
by Daily end-of-shift report 21 Apr '21

21 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-04-2021 18:00 − Mittwoch 21-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Brace yourselves. Facebook has a new mega-leak on its hands ∗∗∗ --------------------------------------------- Facebook Email Search v1.0 can process 5 million email addresses per day, researcher says. --------------------------------------------- https://arstechnica.com/?p=1758893 ∗∗∗ Logins for 1.3 million Windows RDP servers collected from hacker market ∗∗∗ --------------------------------------------- The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/logins-for-13-million-window… ∗∗∗ New article: Run your malicious VBA macros anywhere! ∗∗∗ --------------------------------------------- Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-run-your-malicious-v… ∗∗∗ CVE-2021-30481: Source engine remote code execution via game invites ∗∗∗ --------------------------------------------- In this blog post, we will look at how an attacker can use the Steamworks API in combination with various features and properties of the Source engine to gain remote code execution (RCE) through malicious Steam game invites. --------------------------------------------- https://secret.club/2021/04/20/source-engine-rce-invite.html ∗∗∗ A year of Fajan evolution and Bloomberg themed campaigns ∗∗∗ --------------------------------------------- Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. --------------------------------------------- https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bl… ∗∗∗ Kleinanzeigenbetrug: Vorsicht bei Abwicklung über erfundene Speditionen! ∗∗∗ --------------------------------------------- Der Verkauf von gebrauchten Waren über Kleinanzeigenportale wie willhaben.at, shpock.com oder ebay.at boomt. Doch Vorsicht: Auch der Betrug auf solchen Plattformen wird uns derzeit häufig gemeldet. Besonders beliebt unter den Kriminellen ist die Kaufabwicklung über erfundene Speditionen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-bei-abw… ∗∗∗ WhatsApp Pink: Watch out for this fake update ∗∗∗ --------------------------------------------- The malware sends automated replies to messages on WhatsApp and other major chat apps. --------------------------------------------- https://www.welivesecurity.com/2021/04/20/whatsapp-pink-watch-out-fake-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit ∗∗∗ --------------------------------------------- Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. --------------------------------------------- https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.ht… ∗∗∗ Oracle veröffentlicht 390 Sicherheitsupdates für MySQL, Java & Co. ∗∗∗ --------------------------------------------- In seinem Quartalsupdate patcht sich Oracle durch sein Software-Portfolio und schließt unter anderem einige kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-6022746 ∗∗∗ Jetzt patchen! Attacken auf E-Mail Security Appliances von SonicWall ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für SonicWalls "Email Security". Angreifer nutzen eine Lücke derzeit aktiv aus. --------------------------------------------- https://heise.de/-6022716 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, php-pear, wordpress, and zabbix), Oracle (java-1.8.0-openjdk and java-11-openjdk), Red Hat (java-1.8.0-openjdk, java-11-openjdk, kernel, and kpatch-patch), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (seamonkey), SUSE (apache-commons-io, ImageMagick, kvm, ruby2.5, and sudo), and Ubuntu (edk2, libcaca, ntp, and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/853759/ ∗∗∗ VU#567764: MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/567764 ∗∗∗ ZDI-21-442: (0Day) Advantech WebAccess/HMI Designer SNF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-442/ ∗∗∗ ZDI-21-441: (0Day) Advantech WebAccess/HMI Designer PLF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-441/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Eclipse Jetty affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2019-17558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in jersey affect Apache Zookeeper shipped with IBM Operations Analytics – Log Analysis (CVE-2014-3643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jersey-a… ∗∗∗ Security Bulletin: Security Bulletin: IBM SDK Java Quarterly CPU Oct 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-sdk… ∗∗∗ Security Bulletin: SMTP for IBM i is affected by CVE-2021-20501 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-smtp-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: Update available for OpenSSL vulnerabilities affecting IBM Watson Speech Services 1.2.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-available-for-open… ∗∗∗ Security Bulletin: protobuf Vulnerability in Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-protobuf-vulnerability-in… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affect IBM Operations Analytics – Log Analysis Analysis (CVE-2020-1945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-re… ∗∗∗ Hitachi ABB Power Grids Ellipse APM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-01 ∗∗∗ Rockwell Automation Stratix Switches ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-02 ∗∗∗ Delta Industrial Automation COMMGR ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-03 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-04 ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-05 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06 ∗∗∗ Siemens Mendix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2021
by Daily end-of-shift report 20 Apr '21

20 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-04-2021 18:00 − Dienstag 20-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remote Code Execution: Angriffe auf VPN-Geräte von Pulse Secure ∗∗∗ --------------------------------------------- Produkte von Pulse Secure sind von einer kritischen Sicherheitslücke betroffen, für die es keinen Patch gibt. Angriffe finden bereits statt. --------------------------------------------- https://www.golem.de/news/remote-code-execution-angriffe-auf-vpn-geraete-vo… ∗∗∗ Google Play apps with 700k installs steal texts and charge you money ∗∗∗ --------------------------------------------- Google removes eight apps after receiving report from researchers. --------------------------------------------- https://arstechnica.com/?p=1758227 ∗∗∗ Fake Microsoft Store, Spotify sites spread info-stealing malware ∗∗∗ --------------------------------------------- Attackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute malware to steal credit cards and passwords saved in web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify… ∗∗∗ Breaking ABUS Secvest internet-connected alarm systems (CVE-2020-28973) ∗∗∗ --------------------------------------------- ABUS Secvest is a wireless alarm system that is marketed at consumers and small businesses. It is usually deployed by a specialized company. A Secvest FUAA50000 controller costs about EUR400. A typical deployment with motion sensors, a siren and door/window sensors can cost thousands of euro’s. In this article I will describe how more than 10.000 internet-connected alarm systems could be hacked and deactivated remotely. --------------------------------------------- https://eye.security/en/blog/breaking-abus-secvest-internet-connected-alarm… ∗∗∗ Firefox & Thunderbird: Sicherheitsrelevante Updates für Browser & E-Mail-Client ∗∗∗ --------------------------------------------- Mozilla hat Firefox 88 nebst ESR-Pendant sowie Thunderbird 78.10 veröffentlicht. Im Gepäck haben die Releases unter anderem auch wichtige Schwachstellen-Fixes. --------------------------------------------- https://heise.de/-6021309 ∗∗∗ Facebook Messenger users targeted by a large-scale scam ∗∗∗ --------------------------------------------- A large-scale scam campaign targeting Facebook Messenger users all over the world has been detected by Group-IB. Digital Risk Protection (DRP) analysts have found evidence proving that users in over 80 countries in Europe, Asia, the MEA region, North and South America might have been affected. By distributing ads promoting an allegedly updated version of Facebook Messenger, cybercriminals harvested users’ login credentials. --------------------------------------------- https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/ ∗∗∗ E-Mail: UnternehmerInnen werden aufgefordert, Corona-Tests bei "testversand.com" zu kaufen ∗∗∗ --------------------------------------------- In Deutschland müssen ArbeitgeberInnen ab heute für MitarbeiterInnen, die nicht im Home-Office sind, Corona-Tests bereitstellen. Diese Maßnahme nutzen Kriminelle und kontaktieren zahlreiche UnternehmerInnen, um den unseriösen Online-Shop für Corona-Tests "testversand.com" zu empfehlen. Es ist anzunehmen, dass dieses E-Mail auch an österreichische UnternehmerInnen versendet wird. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-unternehmerinnen-werden-aufge… ∗∗∗ Multi-factor authentication: Use it for all the people that access your network, all the time ∗∗∗ --------------------------------------------- The vast majority of cyberattacks involve a password being hacked - providing your employees with multi-factor authentication could go a long way towards stopping cyber criminals breaking into your network. --------------------------------------------- https://www.zdnet.com/article/multi-factor-authentication-use-it-for-all-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Synology DiskStation Manager. DSM is the Linux-based operating system for every Synology network-attached storage device (NAS). --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-synology-dsm.html ∗∗∗ Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro ∗∗∗ --------------------------------------------- Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together. --------------------------------------------- https://www.wordfence.com/blog/2021/04/widespread-attacks-continue-targetin… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (CImg, gmic, leptonica, mingw-binutils, mingw-glib2, mingw-leptonica, mingw-python3, nodejs, and seamonkey), openSUSE (irssi, kernel, nextcloud-desktop, python-django-registration, and thunderbird), Red Hat (389-ds:1.4, kernel, kernel-rt, perl, and pki-core:10.6), SUSE (kernel, sudo, and xen), and Ubuntu (clamav and openslp-dfsg). --------------------------------------------- https://lwn.net/Articles/853614/ ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20453) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1971). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could affect InfoSphere Streams version 4.3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Multiple vulnerabilites in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-i… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to vulnerability in Apache POI (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the JNDI component could affect InfoSphere Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Potential TLS vulnerability using Diffie-Hellman TLS ciphersuites in IBM DataPower Gateway (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-tls-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2021
by Daily end-of-shift report 19 Apr '21

19 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-04-2021 18:00 − Montag 19-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht ∗∗∗ --------------------------------------------- Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen. --------------------------------------------- https://heise.de/-6019302 ∗∗∗ Ryuk ransomware operation updates hacking techniques ∗∗∗ --------------------------------------------- Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-up… ∗∗∗ NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator ∗∗∗ --------------------------------------------- BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files. --------------------------------------------- https://heimdalsecurity.com/blog/nitroransomware-distributed-as-a-fake-free… ∗∗∗ BazarLoader Malware Abuses Slack, BaseCamp Clouds ∗∗∗ --------------------------------------------- Two cyberattack campaigns are making the rounds using unique social-engineering techniques. --------------------------------------------- https://threatpost.com/bazarloader-malware-slack-basecamp/165455/ ∗∗∗ Serious Security: Rowhammer is back, but now it’s called SMASH ∗∗∗ --------------------------------------------- Simply put: reading from RAM in your program could write to RAM in someone elses --------------------------------------------- https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-b… ∗∗∗ Querying Spamhaus for IP reputation, (Fri, Apr 16th) ∗∗∗ --------------------------------------------- Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script. --------------------------------------------- https://isc.sans.edu/diary/rss/27320 ∗∗∗ Decoding Cobalt Strike Traffic, (Sun, Apr 18th) ∗∗∗ --------------------------------------------- In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike. --------------------------------------------- https://isc.sans.edu/diary/rss/27322 ∗∗∗ Hunting phishing websites with favicon hashes, (Mon, Apr 19th) ∗∗∗ --------------------------------------------- HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way. --------------------------------------------- https://isc.sans.edu/diary/rss/27326 ∗∗∗ Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs ∗∗∗ --------------------------------------------- A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. --------------------------------------------- https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.ht… ∗∗∗ Malvertisers hacked 120 ad servers to load malicious ads ∗∗∗ --------------------------------------------- A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware. --------------------------------------------- https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-maliciou… ∗∗∗ Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack ∗∗∗ --------------------------------------------- The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack. --------------------------------------------- https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen ∗∗∗ --------------------------------------------- Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6019234 ∗∗∗ VMSA-2021-0006 ∗∗∗ --------------------------------------------- A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0006.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...] --------------------------------------------- https://lwn.net/Articles/853420/ ∗∗∗ iApps vulnerability CVE-2020-17507 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11542555 ∗∗∗ libcroco vulnerability CVE-2020-12825 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01074825 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0397 ∗∗∗ Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics – Log Analysis Analysis (CVE-2018-8017) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-with-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2018-8036) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-p… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2021
by Daily end-of-shift report 16 Apr '21

16 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-04-2021 18:00 − Freitag 16-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Google Project Zero gibt Nutzern 30 Tage zum Patchen ∗∗∗ --------------------------------------------- Mit der neuen Regelung hofft Googles Project Zero auf mehr Sicherheit für die Nutzer und schnellere Patches. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-google-project-zero-gibt-nutze… ∗∗∗ [SANS ISC] HTTPS Support for All Internal Services ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “HTTPS Support for All Internal Services“: SSL/TLS has been on stage for a while with deprecated protocols, free certificates for everybody. The landscape is changing to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday, [...] --------------------------------------------- https://blog.rootshell.be/2021/04/16/sans-isc-https-support-for-all-interna… ∗∗∗ The rise of QakBot ∗∗∗ --------------------------------------------- AT&T Alien Labs closely monitors the evolution of crimeware such as the QakBot malware family and campaigns in connection with QakBot. The jointly coordinated takedown of the actors behind Emotet in late January has left a gap in the cybercrime landscape, which QakBot seems poised to fill. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot ∗∗∗ “Huge upsurge” in DDoS attacks during pandemic ∗∗∗ --------------------------------------------- A new report by Netscout sets yet out another way in which why 2020 was a record-breaking year for for all the wrong reasons. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/huge-upsurge-in-ddos-attacks-… ∗∗∗ Security vs User Journey ∗∗∗ --------------------------------------------- Something I often think about is how my recommendations for clients to fix small security issues can spoil / complicate their users’ journey. UX matters I understand that UX is [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/security-vs-user-journey/ ∗∗∗ Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers? ∗∗∗ --------------------------------------------- Unit 42 researchers found an attack in the wild targeting Nagios XI 5.7.5 that exploits CVE-2021-25296 and drops a cryptocurrency miner. Read more for an analysis of the vulnerable code, the resulting command injection, and the malicious scripts. --------------------------------------------- https://unit42.paloaltonetworks.com/nagios-xi-vulnerability-cryptomining/ ∗∗∗ CISA and CNMF Analysis of SolarWinds-related Malware ∗∗∗ --------------------------------------------- CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/cisa-and-cnmf-ana… ∗∗∗ Codecov discloses 2.5-month-long supply chain attack ∗∗∗ --------------------------------------------- Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools. --------------------------------------------- https://therecord.media/codecov-discloses-2-5-month-long-supply-chain-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (smarty3), Fedora (libpano13, python3.8, and seamonkey), Mageia (chromium-browser-stable, gstreamer1.0, thunderbird, and x11-server), Oracle (libldb and thunderbird), SUSE (grafana and system-user-grafana, kernel, and openldap2), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, [...] --------------------------------------------- https://lwn.net/Articles/852978/ ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Privilege Management and Path Traversal vulnerabilities in the Schneider Electric C-Bus Toolkit. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-105-01 ∗∗∗ EIPStackGroup OpENer Ethernet/IP ∗∗∗ --------------------------------------------- This advisory contains mitigations for Incorrect Conversion Between Numeric Types, Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in EIPStackGroup OpENer Ethernet IP. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-105-02 ∗∗∗ Multiple NSS vulnerabilities CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, and CVE-2020-12402 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61267093 ∗∗∗ NSS vulnerability CVE-2020-12403 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13290208 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0393 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2021
by Daily end-of-shift report 15 Apr '21

15 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-04-2021 18:00 − Donnerstag 15-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Link anklicken führt zu Remote Code Execution ∗∗∗ --------------------------------------------- In zahlreichen Applikationen finden sich Sicherheitslücken bei der Verarbeitung von Links, betroffen sind unter anderem VLC, Libreoffice und Telegram. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-link-anklicken-fuehrt-zu-remot… ∗∗∗ WordPress Continues to Fall Victim to Carding Attacks ∗∗∗ --------------------------------------------- Unsurprisingly, as WordPress continues to increase in popularity as an e-commerce platform, attackers continue to attempt to steal credit card information from unsuspecting clients. Currently, the WordPress plugin WooCommerce accounts for roughly a quarter of all online stores. Over recent years, attackers whose goal it is to fradulently obtain credit card information have mostly focused on e-commerce specific platforms such as Magento, PrestaShop and OpenCart [...] --------------------------------------------- https://blog.sucuri.net/2021/04/credit-card-swipers-in-wordpress.html ∗∗∗ Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched ∗∗∗ --------------------------------------------- A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week. --------------------------------------------- https://www.securityweek.com/exploit-second-unpatched-chromium-flaw-made-pu… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-875726 V1.0: Privilege Escalation Vulnerability in Mendix ∗∗∗ --------------------------------------------- The latest updates for Mendix fix a vulnerability in Mendix Applications that could allow malicious authorized users to escalate their privileges. Mendix has released an update for Mendix and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-875726.txt ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (kernel), openSUSE (clamav, fluidsynth, python-bleach, spamassassin, and xorg-x11-server), Red Hat (gnutls and nettle, libldb, and thunderbird), Scientific Linux (thunderbird), SUSE (clamav, util-linux, and xorg-x11-server), and Ubuntu (network-manager and underscore). --------------------------------------------- https://lwn.net/Articles/852726/ ∗∗∗ Juniper JUNOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Juniper JUNOS, Juniper Junos Evolved und Juniper SRX Series ausnutzen, um einen Denial of Service Angriff durchführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, Code zur Ausführung zu bringen, seine Privilegien zu erweitern und beliebigen Code mit Administratorrechten auszuführen. https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0387 ∗∗∗ Red Hat Virtualization Engine: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in der Red Hat Virtualization Engine ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, beliebigen Code auszuführen, einen Denial of Service Zustand auszulösen und kryptographische Maßnahmen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0385 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0391 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0390 ∗∗∗ McAfee Endpoint Security: Schwachstelle ermöglicht Manipulation von Daten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0388 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2021
by Daily end-of-shift report 14 Apr '21

14 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-04-2021 18:00 − Mittwoch 14-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft schließt weitere Lücken in Windows und Mail/Groupware-System Exchange ∗∗∗ --------------------------------------------- Microsoft veröffentlicht über 2700 kritische und wichtige Updates für Exchange und Windows 10, aber auch für Windows 7 und 8.1 sowie ältere Serversysteme. --------------------------------------------- https://heise.de/-6015002 ∗∗∗ Patchday: Adobe verteilt Sicherheitsupdates gegen teils kritische Lücken ∗∗∗ --------------------------------------------- Aus Adobe Photoshop, Digital Editions & Bridge (Windows, macOS) wurden kritische Sicherheitslücken entfernt. Auch RoboHelp für Win bekam ein wichtiges Update. --------------------------------------------- https://heise.de/-6015086 ∗∗∗ Microsoft-Patchday: Updates entfernen aktiv genutzten Angriffsweg aus Windows ∗∗∗ --------------------------------------------- Zum Patchday hat Microsoft unter anderem eine Schwachstelle im Desktop Window Manager in Win 10 & Server-Pendants behoben, die derzeit aktiv ausgenutzt wird. --------------------------------------------- https://heise.de/-6015082 ∗∗∗ Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere ∗∗∗ --------------------------------------------- Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-azure-sphere-apri… ∗∗∗ Vorsicht! Unseriöse Praktiken bei über 120 Datingplattformen von Date4Friend AG! ∗∗∗ --------------------------------------------- Die Schweizer Firma Date4Friend AG betreibt zahlreiche Datingplattformen im deutschsprachigen Raum. Doch viele NutzerInnen ärgern sich über die Angebote von Date4Friend AG. So entpuppen sich eigentlich günstige Abos rasch als teure Abo-Falle. VerbraucherInnen beschweren sich zudem darüber, dass Abo-Kündigungen nicht angenommen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-unserioese-praktiken-bei-ue… ∗∗∗ 100,000 Google Sites Used to Install SolarMarket RAT ∗∗∗ --------------------------------------------- Search-engine optimization (SEO) tactics direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains. --------------------------------------------- https://threatpost.com/google-sites-solarmarket-rat/165396/ ∗∗∗ Jahresbericht 2020 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- 2020 war einiges los in Bezug auf IT-Sicherheit in Österreich: Im Jänner sorgten CVE-2019-19781 a.k.a. "Shitrix" und der Angriff auf das BMEIA für einen turbulenten Start und den Rest des Jahres beschäftigten uns unter anderem Emotet, Ransomware und nicht eingespielte Updates. Aber auch abseits vom Tagesgeschäft der IT-Sicherheit hat sich einiges getan [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/4/jahresbericht-2020-von-certat-und-govce… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483: Four Critical Microsoft Exchange Server Vulnerabilities Patched in April Patch Tuesday ∗∗∗ --------------------------------------------- One month after disclosing four zero-day vulnerabilities in Exchange Server, Microsoft addresses four additional vulnerabilities discovered by the National Security Agency (NSA). --------------------------------------------- https://de.tenable.com/blog/cve-2021-28480-cve-2021-28481-cve-2021-28482-cv… ∗∗∗ New WhatsApp Bugs Couldve Let Attackers Hack Your Phone Remotely ∗∗∗ --------------------------------------------- Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even compromise encrypted communications. The flaws take aim at devices running Android versions up to and including Android 9 by carrying out whats known as a "man-in-the-disk" attack [...] --------------------------------------------- https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.ht… ∗∗∗ Recent Patches Rock the Elementor Ecosystem ∗∗∗ --------------------------------------------- Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints. --------------------------------------------- https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (screen), Debian (clamav, courier-authlib, and tomcat9), Red Hat (thunderbird), SUSE (clamav, glibc, kernel, open-iscsi, opensc, spamassassin, thunderbird, wpa_supplicant, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/852627/ ∗∗∗ New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291) ∗∗∗ --------------------------------------------- CVE-2021-20291 leads to a denial of service of the container engines CRI-O and Podman when pulling a malicious image from a registry. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2021-20291/ ∗∗∗ Schneider Electric SoMachine Basic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Schneider Electric SoMachine Basic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-01 ∗∗∗ Advantech WebAccessSCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-02 ∗∗∗ JTEKT TOYOPUC products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Resource Shutdown or Release vulnerability in JTEKT TOYOPUC programmable logic controller products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Reflected cross-site scripting in Microsoft Azure DevOps Server ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-in-microso… ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0373 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2021
by Daily end-of-shift report 13 Apr '21

13 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-04-2021 18:00 − Dienstag 13-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ NAME:WRECK DNS vulnerabilities affect over 100 million devices ∗∗∗ --------------------------------------------- Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/name-wreck-dns-vulnerabiliti… ∗∗∗ RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers ∗∗∗ --------------------------------------------- An Indian security researcher has publicly published a proof-of-concept (PoC) exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. --------------------------------------------- https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html ∗∗∗ CISA Details Malware Found on Hacked Exchange Servers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware. --------------------------------------------- https://www.securityweek.com/cisa-details-malware-found-hacked-exchange-ser… ∗∗∗ Unseriöse Kreditkartenabbuchungen von screenacy.co ∗∗∗ --------------------------------------------- Wenn von Ihrer Kreditkarte monatlich ein Betrag von screenacy.co abgebucht wird, ohne dass Sie etwas bestellt oder abonniert haben, sind Sie höchstwahrscheinlich in eine Abo-Falle getappt. Viele Betroffene können nicht nachvollziehen, wo und warum es zu einem Vertragsabschluss gekommen ist - meist aber durch bewusste Täuschung. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-kreditkartenabbuchungen-v… ∗∗∗ Winter 2020 Network Attack Trends: Internet of Threats ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Threat Assessment: Clop Ransomware ∗∗∗ --------------------------------------------- In response to an uptick in Clop ransomware activity, we provide an overview and courses of action that can be used to mitigate it. --------------------------------------------- https://unit42.paloaltonetworks.com/clop-ransomware/ ∗∗∗ Threat Actor Type Inference and Characterization within Cyber Threat Intelligence. (arXiv:2103.02301v3 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence. --------------------------------------------- https://arxiv.org/abs/2103.02301 ===================== = Vulnerabilities = ===================== ∗∗∗ [20210402] - Core - Inadequate filters on module layout settings ∗∗∗ --------------------------------------------- Inadequate filters on module layout settings could lead to an LFI. --------------------------------------------- https://developer.joomla.org:443/security-centre/851-20210402-core-inadequa… ∗∗∗ [20210401] - Core - Escape xss in logo parameter error pages ∗∗∗ --------------------------------------------- Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages. --------------------------------------------- https://developer.joomla.org:443/security-centre/850-20210401-core-escape-x… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libpano13), Fedora (mosquitto and perl-Net-CIDR-Lite), Mageia (curl, mongodb, pdfbox, python-jinja2, rygel, spamassassin, tor, velocity, webkit2, and wireshark), openSUSE (umoci), Oracle (389-ds:1.4, kernel, and virt:ol and virt-devel:rhel), Red Hat (kernel and kpatch-patch), Slackware (dnsmasq and irssi), and SUSE (cifs-utils, rubygem-actionpack-4_2, and spamassassin). --------------------------------------------- https://lwn.net/Articles/852526/ ∗∗∗ Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices ∗∗∗ --------------------------------------------- An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage (NAS) devices that run the Surveillance Station video management system. --------------------------------------------- https://www.securityweek.com/exploit-released-critical-vulnerability-affect… ∗∗∗ SAP Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0370 ∗∗∗ ZDI-21-406: (0Day) Microsoft 3D Builder PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-406/ ∗∗∗ ZDI-21-405: (0Day) Microsoft Print 3D PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-405/ ∗∗∗ D-Bus vulnerability CVE-2020-12049 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16729408 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-163226 V1.0: CELL File Parsing Vulnerability in Tecnomatix RobotExpert ∗∗∗ --------------------------------------------- Siemens Tecnomatix RobotExpert version V16.1 fixes a vulnerability that could be triggered when the application reads CELL files. If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163226.txt ∗∗∗ SSA-185699 V1.0: Out of Bounds Write Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains two out of bounds write vulnerabilities in the handling of DNS responses that could allow an attacker to cause a denial-of-service condition or to remotely execute code. Siemens has released updates for several affected products [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-185699.txt ∗∗∗ SSA-187092 V1.0: Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200 ∗∗∗ --------------------------------------------- Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-187092.txt ∗∗∗ SSA-201384 V1.0: Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerability described in this advisories is from this set. The DNS client of affected products contains a vulnerability related to the handling of UDP port numbers in DNS requests that could allow an attacker to poison the DNS cache or spoof DNS resolving. Siemens has released updates for several affected products and recommends to update [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-201384.txt ∗∗∗ SSA-248289 V1.0: Denial-of-Service Vulnerabilities in the IPv6 Stack of Nucleus Products ∗∗∗ --------------------------------------------- The IPv6 stack of affected products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a denial-of-service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-248289.txt ∗∗∗ SSA-292794 V1.0: Multiple Denial-of-Service Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Server fixes two Denial-of-Service vulnerabilities in the underlying third-party XML parser. Siemens has released updates for the affected product and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-292794.txt ∗∗∗ SSA-497656 V1.0: Multiple NTP Vulnerabilities in TIM 4R-IE Devices ∗∗∗ --------------------------------------------- There are multiple vulnerabilities in the underlying NTP component of the affected TIM 4R-IE. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-497656.txt ∗∗∗ SSA-574442 V1.0: Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge to fix multiple vulnerabilities that could be triggered when the application reads files in different file formats (PAR, DFT extensions). If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-574442.txt ∗∗∗ SSA-669158 V1.0: DNS Client Vulnerabilities in SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669158.txt ∗∗∗ SSA-705111 V1.0: Vulnerabilities (NAME:WRECK) in DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a denial-of-service condition. Siemens has released updates for several --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-705111.txt ∗∗∗ SSA-761844 V1.0: Multiple Vulnerabilities in Control Center Server (CCS) ∗∗∗ --------------------------------------------- The advisory informs about multiple vulnerabilities in the Central Control Server (CCS) application, as initially reported in SSA-761617 on 2019-12-10 and SSA-844761 on 2020-03-10. The vulnerabilities involve authentication bypass (CVE-2019-18337, CVE-2019-18341), path traversal (CVE-2019-18338, CVE-2019-19290), information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291), privilege escalation (CVE-2019-18342), SQL injection (CVE-2019-19292), cross-site scripting [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt ∗∗∗ SSA-788287 V1.0: Disclosure of Private Data ∗∗∗ --------------------------------------------- Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-788287.txt ∗∗∗ SSA-853866 V1.0: User Credentials Disclosure Vulnerability in Siveillance Video Open Network Bridge (ONVIF) ∗∗∗ --------------------------------------------- Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. Siemens recommends to apply the hotfixes at the earliest opportunity. See also the chapter Additional Information, how to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-853866.txt ∗∗∗ SSA-983300 V1.0: Vulnerabilities in LOGO! Soft Comfort ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the LOGO! Soft Comfort software. These could allow an attacker to take over a system with the affected software installed. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-983300.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2021
by Daily end-of-shift report 12 Apr '21

12 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-04-2021 18:00 − Montag 12-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Top 10 Secrets of Admin Users ∗∗∗ --------------------------------------------- Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role. --------------------------------------------- https://www.beyondtrust.com/blog/entry/the-top-10-secrets-of-admin-users ∗∗∗ Pulse Secure VPN users cant login due to expired certificate ∗∗∗ --------------------------------------------- Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-… ∗∗∗ Microsoft warnt vor Banking-Trojanern ∗∗∗ --------------------------------------------- Eine neue Angriffsmethode von Banking-Trojanern beunruhigt Microsoft. IcedID, auch bekannt als BokBot, ist ein modularer Banking-Trojaner, der es auf die Finanzdaten der Anwender abgesehen hat und als Dropper für andere Malware fungieren kann. --------------------------------------------- https://www.zdnet.de/88394286/microsoft-warnt-vor-banking-trojanern/ ∗∗∗ Messenger-Dienst: Angreifer können Whatsapp-Nutzer aus dem Dienst aussperren ∗∗∗ --------------------------------------------- Durch den massenhaften Versuch, eine Telefonnummer bei Whatsapp zu registrieren, könnte diese letztlich von dem Dienst ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/messenger-dienst-angreifer-koennen-whatsapp-nutze… ∗∗∗ APKPure: Schadcode in App des alternativen Android-Stores entdeckt ∗∗∗ --------------------------------------------- Wer Android-Anwendungen über APKPure bezieht und dazu die gleichnamige App verwendet, sollte jetzt updaten: Forscher fanden Schadcode in der vorherigen Version. --------------------------------------------- https://heise.de/-6011340 ∗∗∗ Zahlreiche Probleme auf all4you-fashion.com ∗∗∗ --------------------------------------------- Immer häufiger beschäftigen die Watchlist Internet problematische Dropshipping-Angebote. Sie richten sich an österreichische und deutsche KonsumentInnen, halten dabei aber rechtliche Vorgaben nicht ein. Wer beispielsweise auf all4you-fashion.com bestellt, soll trotz „garantierten 30-tägigen Rückgaberechts“ Bearbeitungsgebühren für den Rücktritt bezahlen. Rechtlich muss ein solcher Widerruf aber kostenlos möglich sein. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-probleme-auf-all4you-fash… ∗∗∗ Schadsoftware infiziert halbe Million Huawei-Smartphones über offizielle App Gallery ∗∗∗ --------------------------------------------- Joker Malware war in mehreren Programmen versteckt - SMS-Betrug seit 2017 in immer neuen Formen --------------------------------------------- https://www.derstandard.at/story/2000125753278/schadsoftware-infiziert-halb… ∗∗∗ Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th) ∗∗∗ --------------------------------------------- Over the past several years I have used multiple pre-built sensors using readily available ISO images (rockNSM, SO, OPNSense, etc) but what I was really looking for was just a sensor to parse traffic (i.e Zeek) and IDS alerts (Suricata) to ELK. --------------------------------------------- https://isc.sans.edu/diary/rss/27296 ∗∗∗ How ransomware gangs are connected, sharing resources and tactics ∗∗∗ --------------------------------------------- New research by Analyst1 sheds light on the cooperation between some of the ransomware gangs dominating the cybersecurity news. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-c… ∗∗∗ Recording: Analyzing Android Malware — >From triage to reverse-engineering ∗∗∗ --------------------------------------------- Its easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/recording-analyzing-android-malw… ∗∗∗ Emotet Command and Control Case Study ∗∗∗ --------------------------------------------- We provide a step-by-step technical analysis of Emotet command and control, based on observations from before Emotet threat actors were disrupted. --------------------------------------------- https://unit42.paloaltonetworks.com/emotet-command-and-control/ ∗∗∗ Criminals spread malware using website contact forms with Google URLs ∗∗∗ --------------------------------------------- Crooks are using social engineering to exploit workers efforts to do their jobs. --------------------------------------------- https://www.zdnet.com/article/criminals-spread-malware-using-website-contac… ∗∗∗ Critical security alert: If you havent patched this old VPN vulnerability, assume your network is compromised ∗∗∗ --------------------------------------------- Hundreds of organisations that havent applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns. --------------------------------------------- https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched… ===================== = Vulnerabilities = ===================== ∗∗∗ Tripwire Patch Priority Index for March 2021 ∗∗∗ --------------------------------------------- Tripwire’s March 2021 Patch Priority Index (PPI) brings together important vulnerabilities from SaltStack, VWware, BIG-IP and Microsoft. First on the patch priority list this month are patches for vulnerabilities in Microsoft Exchange (CVE-2021-27065, CVE-2021-26855), SaltStack (CVE-2021-25282, CVE-2021-25281), BIG-IP (CVE-2021-22986) and VMware vCenter (CVE-2021-21972). Exploits for these vulnerabilities have been recently added to the Metasploit Exploit [...] --------------------------------------------- https://www.tripwire.com/state-of-security/vert/tripwire-patch-priority-ind… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/852339/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily