Daily

daily@lists.cert.at

1 participants
3203 discussions

Tageszusammenfassung - 12.03.2021
by Daily end-of-shift report 12 Mar '21

12 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-03-2021 18:30 − Freitag 12-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sie warten auf ein Paket? Vorsicht vor dieser betrügerischen E-Mail! ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Sie durch falsche Behauptungen in eine Abo-Falle zu locken oder an Ihre Daten zu kommen. Derzeit melden uns LeserInnen betrügerische E-Mails, in denen behauptet wird, dass ein Paket nicht zugestellt werden kann, da die Adresse fehle. Doch Vorsicht: Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/sie-warten-auf-ein-paket-vorsicht-vo… ∗∗∗ Zusatzkosten & lange Lieferzeiten? So vermeiden Sie Probleme bei Online-Shops außerhalb der EU! ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Das gilt insbesondere für Shops, die entweder Ihren Sitz außerhalb der EU haben oder von außerhalb der EU liefern lassen. Wir zeigen Ihnen, auf was Sie achten müssen, damit Sie keine bösen Überraschungen beim Online-Shopping im Ausland erleben! --------------------------------------------- https://www.watchlist-internet.at/news/zusatzkosten-lange-lieferzeiten-so-v… ∗∗∗ New DEARCRY Ransomware is targeting Microsoft Exchange Servers ∗∗∗ --------------------------------------------- A new ransomware called DEARCRY is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-ta… ∗∗∗ What Are BEC Attacks? ∗∗∗ --------------------------------------------- Otherwise known as BEC, Business e-mail compromise happens when an attacker hacks into a corporate e-mail account and impersonates the real owner with the sole purpose to defraud the company, its customers, partners and/or employees into sending money or sensitive data to the attacker’s account. Also known as the “man-in-the-email” attack, BEC scams start with [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-are-bec-attacks/ ∗∗∗ New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims ∗∗∗ --------------------------------------------- In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came across a botnet uses honeypot to harvest other infected devices, which is quite interesting. --------------------------------------------- https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/ ∗∗∗ A Spectre proof-of-concept for a Spectre-proof web ∗∗∗ --------------------------------------------- Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still [...] --------------------------------------------- https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spec… ∗∗∗ Mac Malware XCSSET Adapted for Devices With M1 Chips ∗∗∗ --------------------------------------------- An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip. --------------------------------------------- https://www.securityweek.com/mac-malware-xcsset-adapted-devices-m1-chips ∗∗∗ New Browser Attack Allows Tracking Users Online With JavaScript Disabled ∗∗∗ --------------------------------------------- [...] the latest research released this week aims to bypass such browser-based mitigations by implementing a side-channel attack called "CSS Prime+Probe" constructed solely using HTML and CSS, allowing the attack to work even in hardened browsers like Tor, Chrome Zero, and DeterFox that have JavaScript fully disabled or limit the resolution of the timer API. --------------------------------------------- https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144) ∗∗∗ --------------------------------------------- The D-Link DIR-3060 (running firmware versions below v1.11b04) is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to a DIR-3060 would be able to run arbitrary system commands on the device as the system "admin" user, with root privileges. D-Link has released a patched firmware version v1.11b04 Hotfix 2 to address this issue. Affected users are advised to apply the patch. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/849208/ ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in Schneider Electric IGSS SCADA software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0266 ∗∗∗ NetBSD Foundation NetBSD OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0270 ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-8277 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-26116 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2021
by Daily end-of-shift report 11 Mar '21

11 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-03-2021 18:30 − Donnerstag 11-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Der Hafnium Exchange-Server-Hack: Anatomie einer Katastrophe ∗∗∗ --------------------------------------------- Hätte Microsoft den Massenhack von Exchange-Servern mit rascheren Reaktionen verhindern verhindern können? Der Ablauf der Ereignisse wirft Fragen auf. --------------------------------------------- https://heise.de/-5077269 ∗∗∗ NAT-Slipstreaming-Angriffe: Es kommt noch schlimmer ∗∗∗ --------------------------------------------- Zeit zu handeln: Mit dem NAT-Slipstreaming 2.0 können Kriminelle nicht nur das Gerät des Opfers, sondern jede IP-Adresse im Netzwerk angreifen. --------------------------------------------- https://heise.de/-5078104 ∗∗∗ Exchange-Lücken: Jetzt kommt die Cybercrime-Welle mit Erpressung ∗∗∗ --------------------------------------------- Ein öffentlicher Exploit für die Sicherheitslücken in Microsoft Exchange bedeutet, dass die ersten Erpressungsfälle vor der Tür stehen. --------------------------------------------- https://heise.de/-5078180 ∗∗∗ F5 Announces Critical BIG-IP pre-auth RCE bug ∗∗∗ --------------------------------------------- F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook). The patch refers to the four critical vulnerabilities listed below and also includes a pre-auth RCE security flaw (CVE-2021-22986) that allows unauthenticated [...] --------------------------------------------- https://heimdalsecurity.com/blog/f5-announces-critical-bug/ ∗∗∗ FIN8 Resurfaces with Revamped Backdoor Malware ∗∗∗ --------------------------------------------- The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems. --------------------------------------------- https://threatpost.com/fin8-resurfaces-backdoor-malware/164684/ ∗∗∗ Piktochart - Phishing with Infographics, (Thu, Mar 11th) ∗∗∗ --------------------------------------------- In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart. --------------------------------------------- https://isc.sans.edu/diary/rss/27194 ∗∗∗ Magento 2 PHP Credit Card Skimmer Saves to JPG ∗∗∗ --------------------------------------------- Bad actors often leverage creative techniques to conceal malicious behaviour and harvest sensitive information from ecommerce websites. A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file. --------------------------------------------- https://blog.sucuri.net/2021/03/magento-2-php-credit-card-skimmer-saves-to-… ∗∗∗ Home Assistant, Pwned Passwords and Security Misconceptions ∗∗∗ --------------------------------------------- Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter Ive come to love as Ive embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently:always something. --------------------------------------------- https://www.troyhunt.com/home-assistant-pwned-passwords-and-security-miscon… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant). --------------------------------------------- https://lwn.net/Articles/849088/ ∗∗∗ Security Advisory - Sudo Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210310… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0260 ∗∗∗ Linux kernel ext3/ext4 file system vulnerability CVE-2020-14314 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67830124 ∗∗∗ glibc vulnerability CVE-2019-25013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68251873 ∗∗∗ glibc vulnerability CVE-2020-29573 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27238230 ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is Affected by Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Symbolic Link Permissions Problem Modeler Subscription Installer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-symbolic-link-permissions… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by vulnerability in jackson-databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2021
by Daily end-of-shift report 10 Mar '21

10 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-03-2021 18:30 − Mittwoch 10-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht ∗∗∗ --------------------------------------------- Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht. --------------------------------------------- https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-… ∗∗∗ Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS ∗∗∗ --------------------------------------------- (Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands. --------------------------------------------- https://mjg59.dreamwidth.org/56106.html ∗∗∗ Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ∗∗∗ --------------------------------------------- Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vu… ∗∗∗ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th) ∗∗∗ --------------------------------------------- With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold? --------------------------------------------- https://isc.sans.edu/diary/rss/27188 ∗∗∗ Researchers Unveil New Linux Malware Linked to Chinese Hackers ∗∗∗ --------------------------------------------- Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog. --------------------------------------------- https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html ∗∗∗ Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks ∗∗∗ --------------------------------------------- Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code. --------------------------------------------- https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expo… ∗∗∗ Targeted HelloKitty Ransomware Attack ∗∗∗ --------------------------------------------- SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac70… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday - March 2021 ∗∗∗ --------------------------------------------- In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3e… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker ∗∗∗ --------------------------------------------- Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-5076338 ∗∗∗ Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories. --------------------------------------------- https://heise.de/-5076502 ∗∗∗ SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt ∗∗∗ --------------------------------------------- SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen. --------------------------------------------- https://heise.de/-5076543 ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf ∗∗∗ --------------------------------------------- 3MF Consortium’s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition. --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh). --------------------------------------------- https://lwn.net/Articles/848973/ ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0250 ∗∗∗ SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 and Jan 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IQ DCD vulnerability CVE-2021-22996 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16352404?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22995 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13155201?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22997 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34074377?utm_source=f5support&utm_mediu… ∗∗∗ F5 TMUI XSS vulnerability CVE-2021-22994 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K66851119?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23003 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43470422?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP ASM iControl REST vulnerability CVE-2021-23001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06440657?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55237223?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP TMM vulnerability CVE-2021-23000 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34441555?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP SNAT vulnerability CVE-2021-22998 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31934524?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-23005 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01243064?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23004 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31025212?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ XSS vulnerability CVE-2021-23006 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30585021?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP APM VPN vulnerability CVE-2021-23002 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71891773?utm_source=f5support&utm_mediu… ∗∗∗ TMM buffer-overflow vulnerability CVE-2021-22991 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56715231?utm_source=f5support&utm_mediu… ∗∗∗ TMUI authenticated remote command execution vulnerability CVE-2021-22988 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70031188?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2021-22999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_mediu… ∗∗∗ iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_mediu… ∗∗∗ glibc vulnerability CVE-2021-3326 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2021
by Daily end-of-shift report 09 Mar '21

09 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-03-2021 18:30 − Dienstag 09-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers ∗∗∗ --------------------------------------------- A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z0miner-botnet-hunts-for-unp… ∗∗∗ GitHub Fixed a Bug impacting Authenticated Sessions ∗∗∗ --------------------------------------------- Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user’s login session to the web browser of another logged-in user, [...] --------------------------------------------- https://heimdalsecurity.com/blog/github-fixes-bug/ ∗∗∗ Serious Security: Webshells explained in the aftermath of HAFNIUM attacks ∗∗∗ --------------------------------------------- Webshells explained, with some (safe) examples you can try at home if you want to learn more. --------------------------------------------- https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-expl… ∗∗∗ 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect [...] --------------------------------------------- https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html ∗∗∗ Fuzzing grub: part 1 ∗∗∗ --------------------------------------------- Recently a set of 8 vulnerabilities were disclosed for the grub bootloader. I found 2 of them (CVE-2021-20225 and CVE-2021-20233), and contributed a number of other fixes for crashing bugs which we dont believe are exploitable. I found them by applying fuzz testing to grub. Heres how. --------------------------------------------- https://sthbrx.github.io/blog/2021/03/04/fuzzing-grub-part-1/ ∗∗∗ Vorsicht vor betrügerischen Wohnungsinseraten im Facebook-Marketplace ∗∗∗ --------------------------------------------- Auch im Facebook-Marketplace werden Miet- und Eigentumswohnungen inseriert. Ist der Preis jedoch sehr günstig, sollten Sie vorsichtig sein, denn es könnte sich um Betrug handeln. Behaupten VermieterInnen, dass sie im Ausland sind und sie die Besichtigung und Übermittlung der Kaution über Airbnb abwickeln, können Sie eindeutig von Betrug ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-wohnung… ∗∗∗ Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning ∗∗∗ --------------------------------------------- We review vulnerabilities in dnsmasq, an open source DNS resolver, deep dive into DNS cache poisoning and describe effects on cloud products. --------------------------------------------- https://unit42.paloaltonetworks.com/overview-of-dnsmasq-vulnerabilities-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical Creative Cloud, Adobe Connect vulnerabilities ∗∗∗ --------------------------------------------- Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-creativ… ∗∗∗ Apple Plugs Severe WebKit Remote Code-Execution Hole ∗∗∗ --------------------------------------------- Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari. --------------------------------------------- https://threatpost.com/apple-webkit-remote-code-execution/164595/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd). --------------------------------------------- https://lwn.net/Articles/848835/ ∗∗∗ Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components ∗∗∗ --------------------------------------------- Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products. --------------------------------------------- https://www.securityweek.com/siemens-releases-several-advisories-vulnerabil… ∗∗∗ Synology-SA-21:11 Download Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_11 ∗∗∗ Synology-SA-21:10 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_10 ∗∗∗ SAP Security Patch Day - March 2021 ∗∗∗ --------------------------------------------- On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 ∗∗∗ Microsoft Exchange attacks: Now Microsoft rushes out a patch for these unsupported Exchange servers, too ∗∗∗ --------------------------------------------- Microsoft provides more patches for critical Exchange vulnerabilities that are being exploited widely on the internet. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rush… ∗∗∗ Squid: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0241 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0247 ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring returns potentially sensitive information in headers which could lead to further attacks against the system. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Google Protocol Buffers as used by IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-protocol-buffers-a… ∗∗∗ Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow – CVE-2021-20358 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-leakage-vulne… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in JAVA affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerability in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2021
by Daily end-of-shift report 08 Mar '21

08 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-03-2021 18:30 − Montag 08-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angriffe auf Exchange-Server – Microsoft stellt Prüf-Skript für Admins bereit ∗∗∗ --------------------------------------------- Sicherheitslücken im Exchange-Server ziehen derzeit Angriffe auf sich. Microsoft stellt ein Skript bereit, mit dem Administratoren ihre Systeme prüfen können. --------------------------------------------- https://heise.de/-5073827 ∗∗∗ A Basic Timeline of the Exchange Mass-Hack ∗∗∗ --------------------------------------------- Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Heres a brief timeline of what we know leading up to last weeks mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. --------------------------------------------- https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-h… ∗∗∗ Ransomware gang plans to call victims business partners about attacks ∗∗∗ --------------------------------------------- The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victims business partners to generate ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-cal… ∗∗∗ Spotting the Red Team on VirusTotal!, (Sat, Mar 6th) ∗∗∗ --------------------------------------------- Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! --------------------------------------------- https://isc.sans.edu/diary/rss/27174 ∗∗∗ The January/February 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Dependency confusion - when trust is too good to be true Water hacking - not a new trendy sport, but [...] --------------------------------------------- https://securityblog.switch.ch/2021/03/08/the-january-february-2021-issue-o… ∗∗∗ Domain dumpster diving ∗∗∗ --------------------------------------------- By Jaeson Schultz. Dumpster diving - searching through the trash looking for items of value - has long been a staple of hacking culture. In the 1995 movie "Hackers," Acid Burn and Crash Override are seen dumpster diving for information they can use to help them "hack the Gibson." Of course, not all trash is physical garbage located in a dumpster behind an office building. Some trash is virtual. --------------------------------------------- https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html ∗∗∗ Bazar Drops the Anchor ∗∗∗ --------------------------------------------- The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage [...] --------------------------------------------- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical 0-day in The Plus Addons for Elementor Allows Site Takeover ∗∗∗ --------------------------------------------- Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2). --------------------------------------------- https://lwn.net/Articles/848710/ ∗∗∗ Linux kernel vulnerability CVE-2019-18282 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32380005 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14779,CVE-2020-14796, CVE-2020-14797,CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's provider org registration flow is vulnerable to impersonation and sensitive information leak. CVE-2020-4903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-provider… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via Node.js (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: IBM API Connect V10 is impacted by insecure communications during database replication (CVE-2020-4695) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v10-is-im… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to an RCE attack (CVE-2020-5014) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2021
by Daily end-of-shift report 05 Mar '21

05 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-03-2021 18:30 − Freitag 05-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft: Exchange updates can install without fixing vulnerabilities ∗∗∗ --------------------------------------------- Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-c… ∗∗∗ D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant ∗∗∗ --------------------------------------------- A new variant of the Gafgyt botnet - thats actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say. --------------------------------------------- https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ ∗∗∗ QNAP NAS users, make sure you check your system ∗∗∗ --------------------------------------------- On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities. --------------------------------------------- https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ∗∗∗ Spam Farm Spotted in the Wild, (Fri, Mar 5th) ∗∗∗ --------------------------------------------- If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. --------------------------------------------- https://isc.sans.edu/diary/rss/27170 ∗∗∗ Kampf der Excel-Schadsoftware: AMSI gegen verseuchten XML-Code ∗∗∗ --------------------------------------------- Microsoft baut sein Antimalware Scan Interface (AMSI) aus. Neben VBA- kann es jetzt auch XML-Code scannen. --------------------------------------------- https://heise.de/-5073364 ∗∗∗ QNAPCrypt and SunCrypt Ransomware Connection ∗∗∗ --------------------------------------------- Intezer has published a blog posting that provides an analysis of the connections between the QNAPCrypt and SunCrypt ransomware. SunCrypt is affiliate ransomware service while QNAPCrypt surfaced in 2019 and was used to target devices from QNAP and Synology. The analysis concludes that the current SunCrypt ransomware shares many similarities [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75ee68a919cad9c434c63bfb0e3… ∗∗∗ GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence ∗∗∗ --------------------------------------------- Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM - the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Acht neue Schwachstellen im Bootloader ∗∗∗ --------------------------------------------- Die Entwickler von Grub 2 haben mehrere Lücken gemeldet. Einige davon können erneut Secure Boot aushebeln, was den Update-Prozess deutlich verkompliziert. --------------------------------------------- https://heise.de/-5073481 ∗∗∗ Benchmarking-Tool VMware View Planner ist für Schadcode anfällig ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware View Planner. Unter bestimmten Voraussetzungen könnten Angreifer eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5073000 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa). --------------------------------------------- https://lwn.net/Articles/848416/ ∗∗∗ Supermicro, Pulse Secure Respond to Trickbots Ability to Target Firmware ∗∗∗ --------------------------------------------- Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware. --------------------------------------------- https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-abil… ∗∗∗ ICS-CERT Advisories March 04 2021 ∗∗∗ --------------------------------------------- The ICS-CERT has published 2 advisories that affect Rockwell Automation 1734-AENTR Series B and Series C, and Schneider Electric EcoStruxure Building Operation (EBO). Further information is available from the advisories which are summarised below. https://us-cert.cisa.gov/ics/advisories/icsa-21-063-01 https://us-cert.cisa.gov/ics/advisories/icsa-21-063-02 --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/32af714c7074693f32dfa23b263… ∗∗∗ BIND vulnerability CVE-2020-8625 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13591074?utm_source=f5support&utm_mediu… ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0238 ∗∗∗ Security Bulletin: Google-api-client as used by IBM QRadar SIEM is vulnerable to authorization bypass (CVE-2020-7692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (March 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2021
by Daily end-of-shift report 04 Mar '21

04 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-03-2021 18:30 − Donnerstag 04-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researcher bitsquats Microsofts windows.com to steal traffic ∗∗∗ --------------------------------------------- A researcher was able to bitsquat Microsofts windows.com domain by cybersquatting variations of windows.com. Adversaries can abuse this tactic to conduct automated attacks or collect data due to the nature of bit flipping. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microso… ∗∗∗ Trojan Spyware and BEC Attacks ∗∗∗ --------------------------------------------- When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more [...] --------------------------------------------- https://blog.sucuri.net/2021/03/trojan-spyware-and-bec-attacks.html ∗∗∗ Cybercriminals Finding Ways to Bypass 3D Secure Fraud Prevention System ∗∗∗ --------------------------------------------- Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions. --------------------------------------------- https://www.securityweek.com/cybercriminals-finding-ways-bypass-3d-secure-f… ∗∗∗ Kryptowährung einzahlen und das Doppelte zurückerhalten? FAKE! ∗∗∗ --------------------------------------------- Die Watchlist Internet sowie die Internet Ombudsstelle erhalten immer häufiger Nachrichten verzweifelter KonsumentInnen. Sie bezahlen hohe Beträge in Kryptowährungen wie Bitcoin, Ethereum oder Ripple auf betrügerischen Plattformen ein, die eine Rückzahlung des Doppelten oder eines Vielfachen des Betrags versprechen. Jegliche Einzahlung ist verloren und das Geld kann nicht mehr zurückgeholt werden! --------------------------------------------- https://www.watchlist-internet.at/news/kryptowaehrung-einzahlen-und-das-dop… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows DNS SIGRed bug gets first public RCE PoC exploit ∗∗∗ --------------------------------------------- A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-… ∗∗∗ D-Link: Update für Wireless Access Point DAP-2020 beseitigt drei Schwachstellen ∗∗∗ --------------------------------------------- Ein wichtiges Firmware-Update beseitigt Angriffsmöglichkeiten aus benachbarten Netzwerken ohne Authentifizierung. --------------------------------------------- https://heise.de/-5071286 ∗∗∗ XSA-367 - Linux: netback fails to honor grant mapping errors ∗∗∗ --------------------------------------------- A malicious or buggy networking frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. In a typical (non-disaggregated) system that is a host-wide denial of service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-367.html ∗∗∗ XSA-369 - Linux: special config may crash when trying to map foreign pages ∗∗∗ --------------------------------------------- A Dom0 or driver domain based on a Linux kernel (configured as described above) can be crashed by a malicious guest administrator, or possibly malicious unprivileged guest processes. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-369.html ∗∗∗ Critical Vulnerability Patched in WooCommerce Upload Files ∗∗∗ --------------------------------------------- On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-wo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/848223/ ∗∗∗ High severity Linux network security holes found, fixed ∗∗∗ --------------------------------------------- This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available. --------------------------------------------- https://www.zdnet.com/article/linux-network-security-holes-found-fixed/ ∗∗∗ Shodan Verified Vulns 2021-03-01 ∗∗∗ --------------------------------------------- Ein weiteres Monat ist vorbei und wir werfen wieder einen Blick auf die Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-03-01 ergibt sich folgendes Bild: Zum Vormonat hat sich damit fast gar nichts verändert, nur der Gastauftritt von CVE-2019-19781 a.k.a. "Shitrix" im Jänner ist anscheinend wieder vorbei. Eine Übersicht und weiterführende Links zu allen "Verified Vulnerabilities", die Shodan in Österreich gefunden hat, findet [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/shodan-verified-vulns-2021-03-01 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11 ( CVE-2020-7788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a systemd vulnerability (CVE-2019-20386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libexpat vulnerabilities (CVE-2018-20843, CVE-2019-15903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libxslt vulnerabilities (CVE-2019-11068, CVE-2019-18197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2021
by Daily end-of-shift report 03 Mar '21

03 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-03-2021 18:00 − Mittwoch 03-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Qakbot infection with Cobalt Strike, (Wed, Mar 3rd) ∗∗∗ --------------------------------------------- On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. --------------------------------------------- https://isc.sans.edu/diary/rss/27158 ∗∗∗ Qualys hit with ransomware: Customer invoices leaked on extortionists Tor blog ∗∗∗ --------------------------------------------- Ace infosec biz aware and investigating, were told Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/03/03/qualys_ranso… ∗∗∗ „Urlaubsguru ReiseWelt“ bewirbt Fake-Reiseangebote auf Facebook und Instagram ∗∗∗ --------------------------------------------- 12 Nächte Malediven oder zwei Wochen Thailand? Und das zu einem unschlagbaren Preis und mit der Versicherung 48 Stunden vor der Reise kostenlos stornieren zu können? Das klingt zu gut, um wahr zu sein? Ist es in diesem Fall auch. Auf Facebook und Instagram bewirbt der betrügerische Anbieter „Urlaubsguru ReiseWelt“ unglaubliche Angebote. Doch statt der versprochenen Traumreise, wird Ihnen nur das Geld gestohlen. --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsguru-reisewelt-bewirbt-fake-r… ∗∗∗ Threat Actor Group Cloud Atlas Tracked by DomainTools Researchers ∗∗∗ --------------------------------------------- Researchers from DomainTools continue to see an APT group known as Cloud Atlas (also known as Inception) run campaigns which primarily focus on targeting countries formerly part of the Soviet Union with an emphasis on energy and political themes. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/ca6c08f0161ffd21cad662b80fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Android-Patchday: Kritische Remote-Sicherheitslücke aus Betriebssystem beseitigt ∗∗∗ --------------------------------------------- Zum Patchday im März hat Google unter anderem mehrere kritische Sicherheitslücken aus Android entfernt. Pixel-Geräte erhalten zahlreiche Zusatz-Patches. --------------------------------------------- https://heise.de/-5070821 ∗∗∗ Medium Severity Vulnerability Patched in User Profile Picture Plugin ∗∗∗ --------------------------------------------- On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information. --------------------------------------------- https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patche… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa). --------------------------------------------- https://lwn.net/Articles/848089/ ∗∗∗ Kritische Sicherheitslücken in Microsoft Exchange Server - Patches verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des üblichen Update-Zyklus mehrere Patches für Microsoft Exchange zur Verfügung gestellt. Einige der darin behobenen Sicherheitslücken werden nach Angaben von Microsoft und der IT-Sicherheits-Firma Volexity bereits aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/warnungen/2021/3/kritische-sicherheitslucken-in-microsof… ∗∗∗ Side Channel Key Extraction Vulnerability in Bosch IP Cameras and Encoders ∗∗∗ --------------------------------------------- BOSCH-SA-762869-BT: A recently discovered side channel attack for the NXP P5x security microcontrollers was made public. It allows attackers to extract an ECDSA private key after extensive physical access to the chip. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-762869-bt.html ∗∗∗ Cisco Security Advisories - March 3rd, 2021 ∗∗∗ --------------------------------------------- Cisco has published thirteen Security Advisories. Of the advisories, one is rated as High and twelve are rated as Medium. For all advisories listed below, it is noted that Ciscos Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities" [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/a3892fab975bdb6f39d025581db… ∗∗∗ SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000285675 ∗∗∗ Security Bulletin: IBM Security Verify Bridge uses a hard-coded key to encrypt the client secret (CVE-2021-20442) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridg… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js proxy library that has a known vulnerability (183561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Security Verify Bridge uses relatively weak cryptographic algorithms in two of its functions (CVE-2021-20441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridg… ∗∗∗ Security Bulletin: Android Mobile SDK compile builder includes vulnerable components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-android-mobile-sdk-compil… ∗∗∗ VMSA-2021-0003 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0003.html ∗∗∗ Linux nfsd kernel vulnerability CVE-2020-24394 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04553557?utm_source=f5support&utm_mediu… ∗∗∗ Hitachi ABB Power Grids Ellipse EAM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-01 ∗∗∗ Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-02 ∗∗∗ MB connect line mbCONNECT24, mymbCONNECT24 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-061-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2021
by Daily end-of-shift report 02 Mar '21

02 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-03-2021 18:00 − Dienstag 02-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ European e-ticketing platform Ticketcounter extorted in data breach ∗∗∗ --------------------------------------------- A Dutch e-Ticketing platform has suffered a data breach after a user database containing 1.9 million unique email addresses was stolen from an unsecured staging server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-e-ticketing-platfor… ∗∗∗ Bruce Schneier: Auch das Wirtschaftssystem trägt Schuld am Solarwinds-Hack ∗∗∗ --------------------------------------------- Mit schlechter IT-Sicherheit würden Gewinne gemacht, während Verbraucher und Gesellschaft die Risiken trügen. Das muss sich laut Schneier ändern. --------------------------------------------- https://www.golem.de/news/bruce-schneier-auch-das-wirtschaftssystem-traegt-… ∗∗∗ Inside the Ransomware Economy ∗∗∗ --------------------------------------------- The trouble with ransomware is well known at this point. From Egregor to Doppelpaymer to Ryuk, it continues to command headlines. Pandemic-fueled phishing scams, the lack of visibility across remote endpoints, and lax attitudes have been a boon for ransomware groups over the last year. Worst of all, ransomware no longer discriminates. It dominates small towns and municipal offices, video game makers, and shamelessly, healthcare organizations and school systems already pushed to the brink by the COVID-19 pandemic. The threat could still become more pervasive over the next two to three years, not because ransomware is effective in and of itself but because of other players in the game - insurance companies, brokers, and even attorneys - that continue to fan the flames. --------------------------------------------- https://www.securityweek.com/inside-ransomware-economy ∗∗∗ Einreiseanmeldung für Deutschland nicht über „digitale-einreiseanmeldung.de“ vornehmen ∗∗∗ --------------------------------------------- Die Corona-Pandemie erschwert die Einreise in andere Länder erheblich. Für eine Reise nach Deutschland muss beispielsweise unter Umständen zuvor eine digitale Einreisanmeldung vorgenommen werden. Bei der Recherche über Einreisebestimmungen stoßen Reisende jedoch oftmals auf unseriöse Websites, die die digitale Einreisanmeldung kostenpflichtig anbieten. Nehmen Sie von kostenpflichtigen Angeboten zur Einreiseanmeldung Abstand. Es ist unklar, ob diese Anbieter Ihre [...] --------------------------------------------- https://www.watchlist-internet.at/news/einreiseanmeldung-fuer-deutschland-n… ∗∗∗ Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns ∗∗∗ --------------------------------------------- Cybercriminals use fast flux to maintain uptime for malicious activities. We show how it works in a fictional scenario and real-world case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/fast-flux-101/ ∗∗∗ Povlsomware Ransomware ∗∗∗ --------------------------------------------- Povlsomware markets itself as a proof-of-concept (POC) ransomware designed to test security vendor products. Trend Micro reports on some interesting capabilities associated with the malware. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e7d232e9df181a3c873c3eaeb56… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin - March 2021 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2021-03-01 ∗∗∗ Zehn Sicherheitslücken in Server-Konfigurationssoftware Saltstack geschlossen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Serversoftware Saltstack. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-5069120 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/847944/ ∗∗∗ Joomla! Security Announcements ∗∗∗ --------------------------------------------- [20210301] - Core - Insecure randomness within 2FA secret generation https://developer.joomla.org:443/security-centre/841-20210301-core-insecure… [20210302] - Core - Potential Insecure FOFEncryptRandval https://developer.joomla.org:443/security-centre/842-20210302-core-potentia… [20210303] - Core - XSS within alert messages showed to users https://developer.joomla.org:443/security-centre/843-20210303-core-xss-with… [20210304] - Core - XSS within the feed parser library https://developer.joomla.org:443/security-centre/844-20210304-core-xss-with… [20210305] - Core - Input validation within the template manager https://developer.joomla.org:443/security-centre/845-20210305-core-input-va… [20210306] - Core - com_media allowed paths that are not intended for image uploads https://developer.joomla.org:443/security-centre/846-20210306-core-com-medi… [20210307] - Core - ACL violation within com_content frontend editing https://developer.joomla.org:443/security-centre/847-20210307-core-acl-viol… [20210308] - Core - Path Traversal within joomla/archive zip class https://developer.joomla.org:443/security-centre/848-20210308-core-path-tra… [20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field https://developer.joomla.org:443/security-centre/849-20210309-core-inadequa… --------------------------------------------- https://developer.joomla.org/security-centre.html ∗∗∗ Linux NFS kernel vulnerablity CVE-2020-25212 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42355373 ∗∗∗ [webapps] Tiny Tiny RSS - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49606 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center has addressed multiple vulnerabilities (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: Datacap Taskmaster Capture is affected by vulnerable to AppScan's SSLv3 Client Hello with CBC cipher suites that contain TLS_FALLBACK_SCSV ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-captur… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2021
by Daily end-of-shift report 01 Mar '21

01 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-02-2021 18:00 − Montag 01-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ryuk ransomware now self-spreads to other Windows LAN devices ∗∗∗ --------------------------------------------- A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spr… ∗∗∗ Mobile malware evolution 2020 ∗∗∗ --------------------------------------------- In 2020, Kaspersky mobile products and technologies detected 156,710 new mobile banking Trojans and 20,708 new mobile ransomware Trojans. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2020/101029/ ∗∗∗ Maldocs: Protection Passwords, (Sun, Feb 28th) ∗∗∗ --------------------------------------------- In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/27146 ∗∗∗ Top 5 der simpelsten und effektivsten Maßnahmen, um Hackerangriffen vorzubeugen ∗∗∗ --------------------------------------------- Ganz egal mit welcher Art von Angreifer man es zu tun hat, die Schritte von der initialen Kompromittierung bis hin zur vollständigen "Domain Dominance" folgen gleichen Mustern. --------------------------------------------- https://sec-consult.com/de/blog/detail/top-5-der-simpelsten-und-effektivste… ∗∗∗ Akute Angriffswelle auf Fritzbox-Nutzer, jetzt handeln! ∗∗∗ --------------------------------------------- Mysteriöse Zugriffsversuche von der IP-Adresse 185.232.52.55 verunsichern derzeit zahlreiche Fritzbox-Nutzer. Schützen Sie Ihren Router vor der Angriffswelle. --------------------------------------------- https://heise.de/-5068111 ∗∗∗ New ICS Threat Activity Group: KAMACITE ∗∗∗ --------------------------------------------- The new KAMACITE activity group represents a long-running set of related behaviors targeting electric utilities, oil and gas operations, and various manufacturing since at least 2014. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kam… ∗∗∗ Free cybersecurity tool aims to help smaller businesses stay safer online ∗∗∗ --------------------------------------------- NCSC tool aims to help small businesses develop a strategy to protect themselves from cyber crime. --------------------------------------------- https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-… ∗∗∗ Laravel Apps Leaking Secrets ∗∗∗ --------------------------------------------- An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. --------------------------------------------- https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/ ∗∗∗ Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures ∗∗∗ --------------------------------------------- New versions of the MINEBRIDGE RAT were discovered and analyzed by Zscaler researchers. Their findings on the TTPs, attribution, C2 infrastructure, and attack flow are published in a recent blog. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/256c2e722c138ff5a1a711314fc… ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Schwachstelle in Genua GenuGate High Resistance Firewall ∗∗∗ --------------------------------------------- Die Genua GenuGate High Resistance Firewall ist von einer kritischen Authentication Bypass Schwachstelle betroffen. Ein unauthentifizierter Angreifer kann sich durch Manipulation bestimmter HTTP POST Parameter beim Login als beliebiger Benutzer im Admin-Webinterface, Sidechannel Web und Userweb Interface, anmelden und somit die höchsten Rechte (root) erlangen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Google shares PoC exploit for critical Windows 10 Graphics RCE bug ∗∗∗ --------------------------------------------- Project Zero, Googles 0day bug-hunting team, shared technical details and proof-of-concept (PoC) exploit code for a critical remote code execution (RCE) bug affecting a Windows graphics component. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-shares-poc-exploit-fo… ∗∗∗ D-LinkGATE Remote Code Execution ∗∗∗ --------------------------------------------- CVE-Nummern: CVE-2021-27249, CVE-2021-27250 Product: DAP-2020 (Since the vulnerability affects a core component further models might be subject to this vulnerability) Vulnerabilities: - Blind RCE - Blind RCE to full RCE escalation - Log Injection - Arbitrary File Read - Arbitrary File upload - LPE [...] --------------------------------------------- https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint). --------------------------------------------- https://lwn.net/Articles/847778/ ∗∗∗ Minion privilege escalation exploit patched in SaltStack Salt project ∗∗∗ --------------------------------------------- The bug permitted attackers to perform privilege escalation attacks in the automation software. --------------------------------------------- https://www.zdnet.com/article/minion-hijacking-flaw-patched-in-saltstack-sa… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily