Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 09.02.2021
by Daily end-of-shift report 09 Feb '21

09 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-02-2021 18:00 − Dienstag 09-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Devices Hunted by LodaRAT Windows Malware ∗∗∗ --------------------------------------------- The LodaRAT - known for targeting Windows devices - has been discovered also targeting Android devices in a new espionage campaign. --------------------------------------------- https://threatpost.com/android-devices-lodarat-windows/163769/ ∗∗∗ Florida: Hacker wollte Trinkwasser aus der Ferne vergiften ∗∗∗ --------------------------------------------- Kriminelle haben ein Trinkwasserwerk in Florida gehackt und die Natriumhydroxid-Zufuhr vervielfacht. Ein Mitarbeiter beobachtete die Tat und stoppte sie. --------------------------------------------- https://heise.de/-5049266 ∗∗∗ Arrest, Raids Tied to ‘U-Admin’ Phishing Kit ∗∗∗ --------------------------------------------- Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” --------------------------------------------- https://krebsonsecurity.com/2021/02/arrest-raids-tied-to-u-admin-phishing-k… ∗∗∗ BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech ∗∗∗ --------------------------------------------- The novel Chinese shellcode "BendyBear" is one of the most sophisticated, well-engineered and difficult-to-detect samples employed by an APT. --------------------------------------------- https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/ ∗∗∗ PyPI, GitLab dealing with spam attacks ∗∗∗ --------------------------------------------- Both sites have been flooded over the weekend with garbage content. --------------------------------------------- https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Kritische Lücke in WordPress-Plug-in NextGen Gallery ∗∗∗ --------------------------------------------- Ein Schlupfloch in NextGen Gallery könnte Schadcode auf 800.000 WordPress-Websites lassen. --------------------------------------------- https://heise.de/-5049401 ∗∗∗ Linux kernel CVE-2020-10769 ∗∗∗ --------------------------------------------- A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module. --------------------------------------------- https://support.f5.com/csp/article/K62532228 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/845504/ ∗∗∗ ZDI-21-153: Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-153/ ∗∗∗ SSA-379803: Vulnerabilities in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-379803.txt ∗∗∗ SSA-428051: Privilege Escalation Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-428051.txt ∗∗∗ SSA-686152: Denial-of-Service Vulnerability in ARP Protocol of SCALANCE W780 and W740 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-686152.txt ∗∗∗ SSA-663999: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-663999.txt ∗∗∗ SSA-536315: Privilege escalation vulnerability in DIGSI 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-536315.txt ∗∗∗ SSA-944678: Potential Password Protection Bypass in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-944678.txt ∗∗∗ SSA-794542: Insecure Folder Permissions in SIMARIS configuration ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-794542.txt ∗∗∗ SSA-362164: Predictable Initial Sequence Numbers in Mentor Nucleus TCP stack ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-362164.txt ∗∗∗ SSA-156833: Zip-Slip Directory Traversal Vulnerability in SINEMA Server and SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-156833.txt ∗∗∗ SAP Patchday Februar 2021: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0139 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2021
by Daily end-of-shift report 08 Feb '21

08 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-02-2021 18:00 − Montag 08-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ IT-Security: Google bietet Datenbank zu Lücken in Open-Source-Software ∗∗∗ --------------------------------------------- Ob eigene Software oder Abhängigkeiten von Sicherheitslücken betroffen ist, ist teils nicht leicht herauszufinden. Google will hier helfen. --------------------------------------------- https://www.golem.de/news/it-security-google-bietet-datenbank-zu-luecken-in… ∗∗∗ FOSDEM: Hacker auf dem eigenen Honeypot-Server beobachten ∗∗∗ --------------------------------------------- Auf der FOSDEM haben zwei Entwickler eine raffinierte Methode vorgestellt, einen eigenen SSH-Honeypot zu bauen und den Hackern über die Schulter zu schauen. --------------------------------------------- https://heise.de/-5048084 ∗∗∗ Die Macher der Ransomware Ziggy bereuen ihre Taten und geben auf ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner Ziggy eingefangen hat, kann seine Daten nun mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-5048379 ∗∗∗ Barcode Scanner app on Google Play infects 10 million users with one update ∗∗∗ --------------------------------------------- In a single update, a popular barcode scanner app that had been on Google Play for years turned into malware. ... Google quickly removed the app from its store. ... Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. --------------------------------------------- https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google… ∗∗∗ Reverse Engineering Keys from Firmware.A how-to ∗∗∗ --------------------------------------------- It is possible to reverse engineer keys from firmware with some tips: * Always looks for strings/constants. * Make guesses about the original source. * Find a function you can recognise and work backwards to identify other functions. * It helps if they use open-source code so you can crib from it. --------------------------------------------- https://www.pentestpartners.com/security-blog/reverse-engineering-keys-from… ∗∗∗ Erpressung per E-Mail: Kriminelle behaupten, Sie beim Masturbieren gefilmt zu haben ∗∗∗ --------------------------------------------- Aktuell werden wieder massenhaft betrügerische Erpressungsmails versendet. Kriminelle behaupten, sie hätten Ihren Computer gehackt und Sie beim Surfen auf Porno-Webseiten erwischt. Angeblich wurden Sie dabei beim Masturbieren gefilmt. Der unbekannte Absender droht nun damit, dieses Video an all Ihre Kontakte zu senden. Ignorieren Sie dieses E-Mail und antworten Sie auch nicht! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-beh… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox und Tor Browser: Update schließt kritische Lücke und blockiert NTFS-Bug ∗∗∗ --------------------------------------------- Versionsupdates für Firefox, Firefox ESR und Tor Browser beseitigen eine Windows-spezifische Sicherheitslücke und bringen zudem einige Bugfixes mit. --------------------------------------------- https://heise.de/-5048403 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu). --------------------------------------------- https://lwn.net/Articles/845426/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0135 ∗∗∗ BlackBerry Powered by Android Security Bulletin - February 2021 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: The Ubuntu ca-certificates have been updated in Watson Machine Learning Community Edition containers due to expiration. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ubuntu-ca-certificate… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2021
by Daily end-of-shift report 05 Feb '21

05 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-02-2021 18:00 − Freitag 05-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Hackers steal StormShield firewall source code in data breach ∗∗∗ --------------------------------------------- Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the companys support ticket system and steal source code for Stormshield Network Security firewall software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-fi… ∗∗∗ Free coffee! Belgian researcher hacks prepaid vending machines ∗∗∗ --------------------------------------------- Only try this at home, folks! As easy as it might look, its illegal in the wild, with good reason. --------------------------------------------- https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-ha… ∗∗∗ Stack Canaries – Gingerly Sidestepping the Cage ∗∗∗ --------------------------------------------- Tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. --------------------------------------------- https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage ∗∗∗ [SANS ISC] VBA Macro Trying to Alter the Application Menus ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive techniqueThe post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2021/02/05/sans-isc-vba-macro-trying-to-alter-the… ∗∗∗ Abusing Google Chrome extension syncing for data exfiltration and C&C ∗∗∗ --------------------------------------------- I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. --------------------------------------------- https://isc.sans.edu/diary/rss/27066 ∗∗∗ besondereprasente.com: Fordern Sie Ihr Geld zurück! ∗∗∗ --------------------------------------------- Obwohl die Webseite besondereprasente.com gar nicht mehr existiert, erhält die Watchlist Internet nach wie vor zahlreiche Meldungen zu diesem Fake-Shop. Der Grund: Wer bei besondereprasente.com bestellt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/besondereprasentecom-fordern-sie-ihr… ∗∗∗ Plex Media servers are being abused for DDoS attacks ∗∗∗ --------------------------------------------- Cyber-security firm Netscout warns of new DDoS attack vector. --------------------------------------------- https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-… ∗∗∗ Kasperksy warnt vor Krypto-Scam ∗∗∗ --------------------------------------------- Kapersky hat ein neues Scam-System entdeckt, das es mit verlockenden Angeboten von angeblichen neuen Kryptobörsen auf Anwender von Discord abgesehen hat. --------------------------------------------- https://www.zdnet.de/88393274/kasperksy-warnt-vor-krypto-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day im Chrome-Browser: Jetzt Update einspielen ∗∗∗ --------------------------------------------- Eine aktiv ausgenutzte Schwachstelle im Chrome-Browser gefährdet die meisten Betriebssysteme. Google hat ein Update. --------------------------------------------- https://heise.de/-5046783 ∗∗∗ Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style ∗∗∗ --------------------------------------------- On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sit… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna). --------------------------------------------- https://lwn.net/Articles/845191/ ∗∗∗ WordPress Plugin "Name Directory" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50470170/ ∗∗∗ Security Bulletin: Watson Machine Learning Community Edition docker containers have been updated to fix a security issue in libcurl ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-c… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning 1.6.2 and 1.7.0 has been patched for various security issues in nanopb. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: IBM API Connect is impacted by insecure web server configuration (CVE-2020-4825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: PowerHA System Mirror for AIX vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powerha-system-mirror-for… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2021
by Daily end-of-shift report 04 Feb '21

04 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-02-2021 18:00 − Donnerstag 04-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices ∗∗∗ --------------------------------------------- 28 malicious extensions disguised traffic as Google Analytics data. --------------------------------------------- https://arstechnica.com/?p=1739523 ∗∗∗ New Fonix ransomware decryptor can recover victims files for free ∗∗∗ --------------------------------------------- Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fonix-ransomware-decrypt… ∗∗∗ How to Audit Password Changes in Active Directory ∗∗∗ --------------------------------------------- Todays admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. --------------------------------------------- https://thehackernews.com/2021/02/how-to-audit-password-changes-in-active.h… ∗∗∗ Project Zero: Déjà vu-lnerability ∗∗∗ --------------------------------------------- A Year in Review of 0-days Exploited In-The-Wild in 2020 --------------------------------------------- https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html ∗∗∗ E-Tretroller sind leicht zu überwachen und zu manipulieren ∗∗∗ --------------------------------------------- Die Apps der Verleiher sind sehr auskunftsfreudig. Mit den übertragenen Daten lässt sich ein E-Tretroller sogar während der Fahrt abschalten. --------------------------------------------- https://heise.de/-5045945 ∗∗∗ Browser sync—what are the risks of turning it on? ∗∗∗ --------------------------------------------- Browser synchronization is a handy feature but it comes with a few risks. Heres what you should be asking yourself before you switch it on. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/02/browser-sync-what-are-the-r… ∗∗∗ This old form of ransomware has returned with new tricks and new targets ∗∗∗ --------------------------------------------- Cerber was once the most common form of ransomware - and now its back, years after its heyday. --------------------------------------------- https://www.zdnet.com/article/this-old-form-of-ransomware-has-returned-with… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB21-09) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB21-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for the week of February 09, 2021. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1967 ∗∗∗ Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices ∗∗∗ --------------------------------------------- Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a devices wireless communications. --------------------------------------------- https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.ht… ∗∗∗ Jetzt patchen! Sicherheitsupdate für SonicWall SMA 100 ist da ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf das Fernzugriffsystem SMA 100 von SonicWall abgesehen. Nun gibt es Patches. --------------------------------------------- https://heise.de/-5045657 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3). --------------------------------------------- https://lwn.net/Articles/845088/ ∗∗∗ Panasonic Video Insight VMS vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42252698/ ∗∗∗ ZDI-21-151: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-151/ ∗∗∗ ZDI-21-150: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-150/ ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2020-14781 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM SDK Java Quarterly CPU Jul 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-quarterly-cp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ wpa_supplicant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0129 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX291439 ∗∗∗ Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-02 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2021
by Daily end-of-shift report 03 Feb '21

03 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-02-2021 18:00 − Mittwoch 03-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Excel spreadsheets push SystemBC malware, (Wed, Feb 3rd) ∗∗∗ --------------------------------------------- This Excel spreadsheet pushed what might be SystemBC malware when I tested it in my lab environment on Monday 2021-02-01. --------------------------------------------- https://isc.sans.edu/diary/rss/27060 ∗∗∗ Interview with a LockBit ransomware operator ∗∗∗ --------------------------------------------- In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews. --------------------------------------------- https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomwar… ∗∗∗ Hildegard: New TeamTNT Malware Targeting Kubernetes ∗∗∗ --------------------------------------------- Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations. --------------------------------------------- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ∗∗∗ Gefälschte Rechnung für Desinfektionsmittel im Umlauf! ∗∗∗ --------------------------------------------- Viele Unternehmen müssen aufgrund der Coronakrise stärkere Hygienemaßnahmen umsetzen. Dazu zählt auch die Bereitstellung von Desinfektionsmittel. Für viele ist es daher wohl wenig überraschend, wenn sich im E-Mail-Posteingang eine Rechnung für bestellte Desinfektionsmittel findet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-rechnung-fuer-desinfekti… ===================== = Vulnerabilities = ===================== ∗∗∗ Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities ∗∗∗ --------------------------------------------- In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates). --------------------------------------------- https://lwn.net/Articles/844948/ ∗∗∗ Recent root-giving Sudo bug also impacts macOS ∗∗∗ --------------------------------------------- A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account. --------------------------------------------- https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-maco… ∗∗∗ Cisco Security Advisories 2021-02-03 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security Advisory - Improper Resource Management Vulnerability in eUDC660 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Information Processing Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Huawei ManageOne Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210202-… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a remote code execution vulnerability (CVE-2020-4682) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 affected by Apache Cassandra vulnerability (CVE-2020-13946) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind vulnerability CVE-2021-20190 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-vulnerab… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Cloud Pak For Security vulnerable to potential information disclosure through HTTP headers (CVE-2020-4967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into command log files (CVE-2020-4889) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF) (CVE-2020-4787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability (CVE-2020-4165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection Vulnerability (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Bouncy Castle Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bouncy-castle-vulnerabili… ∗∗∗ February 2, 2021 TNS-2021-01 [R1] Nessus AMI 8.13.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-01 ∗∗∗ Linux kernel vulnerability CVE-2020-14385 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84900646 ∗∗∗ D-LINK Router DNS-320: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0122 ∗∗∗ Rockwell Automation MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-01 ∗∗∗ Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 ∗∗∗ 2019-08Hirschmann RSP, RSPE, and OS2 series HSR denial of service vulnerability ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12276-sour… ∗∗∗ 2021-02ICX35 Local Web Based Configuration Interface Password Set ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12277-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2021
by Daily end-of-shift report 02 Feb '21

02 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-02-2021 18:00 − Dienstag 02-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Linux malware steals SSH credentials from supercomputers ∗∗∗ --------------------------------------------- A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-steals-ssh… ∗∗∗ Malicious script steals credit card info stolen by other hackers ∗∗∗ --------------------------------------------- A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-script-steals-cred… ∗∗∗ New Threat: Matryosh Botnet Is Spreading ∗∗∗ --------------------------------------------- On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirais characteristics. --------------------------------------------- https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/ ∗∗∗ New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd) ∗∗∗ --------------------------------------------- Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/27056 ∗∗∗ Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques ∗∗∗ --------------------------------------------- Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. --------------------------------------------- https://thehackernews.com/2021/02/agent-tesla-malware-spotted-using-new.html ∗∗∗ Operation Dream Job by Lazarus ∗∗∗ --------------------------------------------- Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot. --------------------------------------------- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html ∗∗∗ New Trickbot module uses Masscan for local network reconnaissance ∗∗∗ --------------------------------------------- The new Trickbot module is used to scan local networks for other nearby systems with open ports that could be hacked for quick lateral movement inside a company. --------------------------------------------- https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-ne… ∗∗∗ Microsoft tracked a system sending a million malware emails a month. Heres what it discovered ∗∗∗ --------------------------------------------- Emerging attacker email infrastructure now sends over a million malware-laden emails each month. --------------------------------------------- https://www.zdnet.com/article/microsoft-tracked-a-system-sending-a-million-… ∗∗∗ Operation NightScout: Supply‑chain attack targets online gaming in Asia ∗∗∗ --------------------------------------------- ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia. --------------------------------------------- https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain… ∗∗∗ Gewinnspiel im Namen von Hofer führt in Abo-Falle ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Hofer aus und informieren via E-Mail über einen angeblichen Gewinn. --------------------------------------------- https://www.watchlist-internet.at/news/gewinnspiel-im-namen-von-hofer-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/125331 ∗∗∗ DSA-4843 linux - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. --------------------------------------------- https://www.debian.org/security/2021/dsa-4843 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/apple-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu). --------------------------------------------- https://lwn.net/Articles/844865/ ∗∗∗ Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks ∗∗∗ --------------------------------------------- Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild. --------------------------------------------- https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-expl… ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2021
by Daily end-of-shift report 01 Feb '21

01 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-01-2021 18:00 − Montag 01-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st) ∗∗∗ --------------------------------------------- Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised. The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches. But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol". --------------------------------------------- https://isc.sans.edu/diary/rss/27054 ∗∗∗ Hintermänner der Fonix-Ransomware geben auf und veröffentlichen Master-Schlüssel ∗∗∗ --------------------------------------------- Opfer des Verschlüsselungstrojaner Fonix sehen Licht am Ende des Tunnels. --------------------------------------------- https://heise.de/-5041914 ∗∗∗ SonicWall zero-day exploited in the wild ∗∗∗ --------------------------------------------- Security firm NCC Group said it detected "indiscriminate" exploitation of a mysterious SonicWall zero-day. --------------------------------------------- https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/ ∗∗∗ Shodan Verified Vulns 2021-02-01 ∗∗∗ --------------------------------------------- Wieder ist ein Monat vergangen und damit auch wieder die Zeit gekommen, um einen Blick auf Shodans Daten zu den Verified Vulnerabilities in Österreich zu werfen. --------------------------------------------- https://cert.at/de/aktuelles/2021/2/shodan-verified-vulns-2021-02-01 ∗∗∗ Trickbot feiert Comeback ∗∗∗ --------------------------------------------- Kaum ist die Freude über die Zerschlagung von Emotet verklungen, feiert ein anderes Malware-Netzwerk namens Trickbot nach einigen Monaten Stille ein Comeback. --------------------------------------------- https://www.zdnet.de/88393163/trickbot-feiert-comeback/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges. [...] Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WordPress-Plug-in Popup Builder: Angreifer könnten Newsletter verschicken ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das WordPress-Plug-in Popup Builder. --------------------------------------------- https://heise.de/-5041788 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox, rubygem-nokogiri) and Ubuntu (mysql-5.7, mysql-8.0, python-django). --------------------------------------------- https://lwn.net/Articles/844749/ ∗∗∗ Sudo vulnerability CVE-2021-3156 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K86488846?utm_source=f5support&utm_mediu… ∗∗∗ Critical vulnerability in Apple iOS WebKit browser components can impact users of the BIG-IP APM F5 Access client ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58149033?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2021
by Daily end-of-shift report 29 Jan '21

29 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-01-2021 18:00 − Freitag 29-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Perl.com domain stolen, now using IP address tied to malware ∗∗∗ --------------------------------------------- The domain name perl.com was stolen this week and is now points to an IP address associated with malware campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/perlcom-domain-stolen-now-us… ∗∗∗ A Look at iMessage in iOS 14 ∗∗∗ --------------------------------------------- On December 20, Citizenlab published “The Great iPwn”, detailing how “Journalists [were] Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit”. Of particular interest is the following note: “We do not believe that [the exploit] works against iOS 14 and above, which includes new security protections''. Given that it is also now almost exactly one year ago since we published the Remote iPhone Exploitation blog post series, in which we described how an iMessage 0-click exploit can work in practice and gave a number of suggestions on how similar attacks could be prevented in the future, now seemed like a great time to dig into the security improvements in iOS 14 in more detail and explore how Apple has hardened their platform against 0-click attacks. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14… ∗∗∗ Sensitive Data Shared with Cloud Services, (Fri, Jan 29th) ∗∗∗ --------------------------------------------- Yesterday was the data protection day in Europe. I was not on duty so Im writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild: 14GB compressed, 77M credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/27042 ∗∗∗ Attacks on Individuals Fall as Cybercrime Shifts Tactics ∗∗∗ --------------------------------------------- Cybercriminals shifted away from stealing individual consumers’ information in 2020 to focus on bigger, more profitable attacks on businesses, according to a report from the Identity Theft Resource Center. --------------------------------------------- https://www.securityweek.com/attacks-individuals-fall-cybercrime-shifts-tac… ∗∗∗ Identitätsdiebstahl durch betrügerische Jobangebote boomen! ∗∗∗ --------------------------------------------- Der Arbeitsmarkt in Österreich ist weiterhin angespannt. Das macht sich auch im Bereich des Internetbetrugs bemerkbar. So melden unsere LeserInnen immer wieder, dass sie bei der Suche nach einem Nebenverdienst auf ein betrügerisches Job-Angebot gestoßen sind. Das Ziel hinter dieser Betrugsmasche: Die BetrügerInnen versuchen die Identität der Opfer zu klauen, manchmal wird auch ein Konto im Namen der Betroffenen eröffnet. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-durch-betrueger… ∗∗∗ Don’t stop at alert(1): Demonstrate impact with low severity bugs ∗∗∗ --------------------------------------------- When trying to discover vulnerabilities in a web application, you may not always come across high or critical severity bugs, and only end up finding low-medium severity issues like cross-site scripting (XSS). When that is the case, it is worth seeing how far those bugs can take you, since low severity vulnerabilities can still have a large effect when leveraged as part of a more impactful attack chain. --------------------------------------------- https://medium.com/tenable-techblog/dont-stop-at-alert-1-demonstrate-impact… ===================== = Vulnerabilities = ===================== ∗∗∗ Libgcrypt: Warnung vor schwerem Fehler in GnuPG-Kryptobibliothek ∗∗∗ --------------------------------------------- Die jüngste Version der Verschlüsselungsbibliothek Libgcrypt, die unter anderem von GnuPG verwendet wird, soll eine schwere Sicherheitslücke haben. --------------------------------------------- https://www.golem.de/news/libgcrypt-warnung-vor-schwerem-fehler-in-gnupg-kr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java). --------------------------------------------- https://lwn.net/Articles/844521/ ∗∗∗ Rockwell Automation FactoryTalk Linx and FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for Classic Buffer overflow, and Improper Check or Handling of Exceptional Conditions vulnerabilities in Rockwell Automations FactoryTalk Linx and FactoryTalk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-028-01 ∗∗∗ SSA-520004: Telnet Authentication Vulnerability in SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-520004.txt ∗∗∗ Linksys Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2021
by Daily end-of-shift report 28 Jan '21

28 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-01-2021 18:00 − Donnerstag 28-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th) ∗∗∗ --------------------------------------------- Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal). --------------------------------------------- https://isc.sans.edu/diary/rss/27036 ∗∗∗ Italy CERT Warns of a New Credential Stealing Android Malware ∗∗∗ --------------------------------------------- Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. --------------------------------------------- https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html ∗∗∗ CISA Malware Analysis on Supernova ∗∗∗ --------------------------------------------- CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/27/cisa-malware-anal… ∗∗∗ Pro-Ocean: Rocke Group’s New Cryptojacking Malware ∗∗∗ --------------------------------------------- In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero. --------------------------------------------- https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojackin… ∗∗∗ US and Bulgarian authorities disrupt NetWalker ransomware operation ∗∗∗ --------------------------------------------- Authorities seize dark web domains, charge a Canadian, and seize $454,000 in cryptocurrency. --------------------------------------------- https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalke… ∗∗∗ Stack Overflow: Heres what happened when we were hacked back in 2019 ∗∗∗ --------------------------------------------- Company goes into detail on how a hacker used Overflows community knowledge-sharing to figure out how to hack it back in 2019. --------------------------------------------- https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome blocks 7 more ports to stop NAT Slipstreaming attacks ∗∗∗ --------------------------------------------- Google Chrome now blocks access to websites on an additional seven TCP ports to protect against the NAT Slipstreaming 2.0 vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-blocks-7-more-… ∗∗∗ The Wordfence 2020 WordPress Threat Report ∗∗∗ --------------------------------------------- Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress [...] --------------------------------------------- https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-… ∗∗∗ Windows Installer Local Privilege Escalation 0day Gets a Micropatch ∗∗∗ --------------------------------------------- On December 26, security researcher Abdelhamid Naceri published a blog post with a number of 0days in various security products and a local privilege escalation 0day in Windows Installer. --------------------------------------------- https://blog.0patch.com/2021/01/windows-installer-local-privilege.html ∗∗∗ Local Privilege Escalation 0day in PsExec Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/28/2021: Since our publication of micropatch for PsExec version 2.2, PsExec has been updated to versions 2.30, 2.31 and finally 2.32. where it still resides today. David was able to update his POC for each version so the current version 2.32. is still vulnerable to the same attack. --------------------------------------------- https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2,[...] --------------------------------------------- https://lwn.net/Articles/844366/ ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284205 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284202 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284206 ∗∗∗ JasPer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0100 ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0099 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2021
by Daily end-of-shift report 27 Jan '21

27 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-01-2021 18:00 − Mittwoch 27-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet Takedown: Wir informieren Betroffene in Österreich ∗∗∗ --------------------------------------------- In einer koordinierten Aktion von mehreren Strafverfolgungsbehörden wurde das Netzwerk rund um die Malware Emotet ausgeschaltet und übernommen. --------------------------------------------- https://cert.at/de/aktuelles/2021/1/emotet-takedown-wir-informieren-betroff… ∗∗∗ Heres how a researcher broke into Microsoft VS Codes GitHub ∗∗∗ --------------------------------------------- This month a researcher was awarded a bug bounty award of an undisclosed amount after he broke into the official GitHub repository of Microsoft Visual Studio Code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke… ∗∗∗ Linux malware uses open-source tool to evade detection ∗∗∗ --------------------------------------------- AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-malware-uses-open-sour… ∗∗∗ Phishing & Malspam with Leaf PHPMailer ∗∗∗ --------------------------------------------- It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment. --------------------------------------------- https://blog.sucuri.net/2021/01/phishing-malspam-with-leaf-phpmailer.html ∗∗∗ Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication ∗∗∗ --------------------------------------------- FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff… ∗∗∗ Vorsicht beim Online-Kauf von FFP2-Masken! ∗∗∗ --------------------------------------------- Auf den Webseiten givenic.com und quantheco.com werden günstige FFP2-Masken und weitere „COVID-19 Gesundheitstools“ angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-online-kauf-von-ffp2-m… ∗∗∗ LogoKit: Simple, Effective, and Deceptive ∗∗∗ --------------------------------------------- As sophisticated attacks dominate the headlines, its important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/logokit-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple critical patches fix in-the-wild iPhone exploits – update now! ∗∗∗ --------------------------------------------- Apple says. "Additional details available soon", which you can translate as "this one took us by surprise". So patch now! --------------------------------------------- https://nakedsecurity.sophos.com/2021/01/27/apple-critical-patches-fix-in-t… ∗∗∗ New Attack Could Let Remote Hackers Target Devices On Internal Networks ∗∗∗ --------------------------------------------- A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research. --------------------------------------------- https://thehackernews.com/2021/01/new-attack-could-let-remote-hackers.html ∗∗∗ New Docker Container Escape Bug Affects Microsoft Azure Functions ∗∗∗ --------------------------------------------- Cybersecurity researchers today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. --------------------------------------------- https://thehackernews.com/2021/01/new-docker-container-escape-bug-affects.h… ∗∗∗ Sicherheitsupdate: Tor Browser vor möglichen Schadcode-Attacken geschützt ∗∗∗ --------------------------------------------- Wer weiterhin anonym und sicher mit dem Tor Browser im Internet surfen möchte, sollte die aktuelle Version installieren. --------------------------------------------- https://heise.de/-5037561 ∗∗∗ Jetzt updaten: Kritische sudo-Lücke gewährt lokalen Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Über die zehn Jahre alte Lücke CVE-2021-3156 können lokale Angreifer Root-Rechte via sudo ohne sudo-Berechtigungen erlangen. --------------------------------------------- https://heise.de/-5037687 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo). --------------------------------------------- https://lwn.net/Articles/844184/ ∗∗∗ OS command injection vulnerability in multiple Infoscience Corporation log management tools ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41853173/ ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210127-… ∗∗∗ Mozilla Firefox und Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0093 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0097 ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0095 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01 ∗∗∗ Eaton EASYsoft (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 ∗∗∗ Mitsubishi Electric Multiple Products (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01 ∗∗∗ Denial of Service in Rexroth ID 200/C-ETH using EtherNet/IP Protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-775371.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily