Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 28.01.2021
by Daily end-of-shift report 28 Jan '21

28 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-01-2021 18:00 − Donnerstag 28-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th) ∗∗∗ --------------------------------------------- Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal). --------------------------------------------- https://isc.sans.edu/diary/rss/27036 ∗∗∗ Italy CERT Warns of a New Credential Stealing Android Malware ∗∗∗ --------------------------------------------- Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. --------------------------------------------- https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html ∗∗∗ CISA Malware Analysis on Supernova ∗∗∗ --------------------------------------------- CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/27/cisa-malware-anal… ∗∗∗ Pro-Ocean: Rocke Group’s New Cryptojacking Malware ∗∗∗ --------------------------------------------- In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero. --------------------------------------------- https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojackin… ∗∗∗ US and Bulgarian authorities disrupt NetWalker ransomware operation ∗∗∗ --------------------------------------------- Authorities seize dark web domains, charge a Canadian, and seize $454,000 in cryptocurrency. --------------------------------------------- https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalke… ∗∗∗ Stack Overflow: Heres what happened when we were hacked back in 2019 ∗∗∗ --------------------------------------------- Company goes into detail on how a hacker used Overflows community knowledge-sharing to figure out how to hack it back in 2019. --------------------------------------------- https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome blocks 7 more ports to stop NAT Slipstreaming attacks ∗∗∗ --------------------------------------------- Google Chrome now blocks access to websites on an additional seven TCP ports to protect against the NAT Slipstreaming 2.0 vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-blocks-7-more-… ∗∗∗ The Wordfence 2020 WordPress Threat Report ∗∗∗ --------------------------------------------- Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress [...] --------------------------------------------- https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-… ∗∗∗ Windows Installer Local Privilege Escalation 0day Gets a Micropatch ∗∗∗ --------------------------------------------- On December 26, security researcher Abdelhamid Naceri published a blog post with a number of 0days in various security products and a local privilege escalation 0day in Windows Installer. --------------------------------------------- https://blog.0patch.com/2021/01/windows-installer-local-privilege.html ∗∗∗ Local Privilege Escalation 0day in PsExec Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/28/2021: Since our publication of micropatch for PsExec version 2.2, PsExec has been updated to versions 2.30, 2.31 and finally 2.32. where it still resides today. David was able to update his POC for each version so the current version 2.32. is still vulnerable to the same attack. --------------------------------------------- https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2,[...] --------------------------------------------- https://lwn.net/Articles/844366/ ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284205 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284202 ∗∗∗ SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000284206 ∗∗∗ JasPer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0100 ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0099 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2021
by Daily end-of-shift report 27 Jan '21

27 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-01-2021 18:00 − Mittwoch 27-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet Takedown: Wir informieren Betroffene in Österreich ∗∗∗ --------------------------------------------- In einer koordinierten Aktion von mehreren Strafverfolgungsbehörden wurde das Netzwerk rund um die Malware Emotet ausgeschaltet und übernommen. --------------------------------------------- https://cert.at/de/aktuelles/2021/1/emotet-takedown-wir-informieren-betroff… ∗∗∗ Heres how a researcher broke into Microsoft VS Codes GitHub ∗∗∗ --------------------------------------------- This month a researcher was awarded a bug bounty award of an undisclosed amount after he broke into the official GitHub repository of Microsoft Visual Studio Code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke… ∗∗∗ Linux malware uses open-source tool to evade detection ∗∗∗ --------------------------------------------- AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-malware-uses-open-sour… ∗∗∗ Phishing & Malspam with Leaf PHPMailer ∗∗∗ --------------------------------------------- It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment. --------------------------------------------- https://blog.sucuri.net/2021/01/phishing-malspam-with-leaf-phpmailer.html ∗∗∗ Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication ∗∗∗ --------------------------------------------- FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff… ∗∗∗ Vorsicht beim Online-Kauf von FFP2-Masken! ∗∗∗ --------------------------------------------- Auf den Webseiten givenic.com und quantheco.com werden günstige FFP2-Masken und weitere „COVID-19 Gesundheitstools“ angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-online-kauf-von-ffp2-m… ∗∗∗ LogoKit: Simple, Effective, and Deceptive ∗∗∗ --------------------------------------------- As sophisticated attacks dominate the headlines, its important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/logokit-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple critical patches fix in-the-wild iPhone exploits – update now! ∗∗∗ --------------------------------------------- Apple says. "Additional details available soon", which you can translate as "this one took us by surprise". So patch now! --------------------------------------------- https://nakedsecurity.sophos.com/2021/01/27/apple-critical-patches-fix-in-t… ∗∗∗ New Attack Could Let Remote Hackers Target Devices On Internal Networks ∗∗∗ --------------------------------------------- A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research. --------------------------------------------- https://thehackernews.com/2021/01/new-attack-could-let-remote-hackers.html ∗∗∗ New Docker Container Escape Bug Affects Microsoft Azure Functions ∗∗∗ --------------------------------------------- Cybersecurity researchers today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. --------------------------------------------- https://thehackernews.com/2021/01/new-docker-container-escape-bug-affects.h… ∗∗∗ Sicherheitsupdate: Tor Browser vor möglichen Schadcode-Attacken geschützt ∗∗∗ --------------------------------------------- Wer weiterhin anonym und sicher mit dem Tor Browser im Internet surfen möchte, sollte die aktuelle Version installieren. --------------------------------------------- https://heise.de/-5037561 ∗∗∗ Jetzt updaten: Kritische sudo-Lücke gewährt lokalen Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Über die zehn Jahre alte Lücke CVE-2021-3156 können lokale Angreifer Root-Rechte via sudo ohne sudo-Berechtigungen erlangen. --------------------------------------------- https://heise.de/-5037687 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo). --------------------------------------------- https://lwn.net/Articles/844184/ ∗∗∗ OS command injection vulnerability in multiple Infoscience Corporation log management tools ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41853173/ ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210127-… ∗∗∗ Mozilla Firefox und Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0093 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0097 ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0095 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01 ∗∗∗ Eaton EASYsoft (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 ∗∗∗ Mitsubishi Electric Multiple Products (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01 ∗∗∗ Denial of Service in Rexroth ID 200/C-ETH using EtherNet/IP Protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-775371.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2021
by Daily end-of-shift report 26 Jan '21

26 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-01-2021 18:00 − Dienstag 26-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Fun with NMAP NSE Scripts and DOH (DNS over HTTPS), (Mon, Jan 25th) ∗∗∗ --------------------------------------------- DOH (DNS over HTTPS) has been implemented into the various browsers over the last year or so, and there's a fair amount of support for it on public DNS services. Because it's encrypted and over TCP, the mantra of "because privacy" has carried the day it looks like. But why do network and system admins hate it so? --------------------------------------------- https://isc.sans.edu/diary/rss/27026 ∗∗∗ Apache Software Foundation: Mehr Projekte und mehr Sicherheitswarnungen ∗∗∗ --------------------------------------------- Der Security Report 2020 der Apache Software Foundation zeigt einen Zuwachs an relevanten Sicherheitswarnungen für die Projekte unter dem Dach der Stiftung. --------------------------------------------- https://heise.de/-5035647 ∗∗∗ SMS „Wir konnten Ihr Paket nicht liefern“ ist Betrug ∗∗∗ --------------------------------------------- „Wir konnten Ihr Paket nicht liefern“ lautet eine SMS von InfoTrack. Über den angeführten Link gelangen Sie zu einer Aufforderung, 1 Euro für den Versand zu bezahlen. Doch Vorsicht: Bei dieser Benachrichtigung handelt es sich um eine Betrugsmasche. Wer diese Gebühr bezahlt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/sms-wir-konnten-ihr-paket-nicht-lief… ∗∗∗ New Variant of Ursnif Continuously Targeting Italy ∗∗∗ --------------------------------------------- Ursnif is a well-known banking Trojan with a large number of variants providing a diverse set of capabilities. A report from Fortinet analyzes a new variant of the malware specifically targeting users in Italy. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/669b7072b9792bc67a9d430517e… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt). --------------------------------------------- https://lwn.net/Articles/844054/ ∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Nagios Enterprises Nagios XI ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2021
by Daily end-of-shift report 25 Jan '21

25 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-01-2021 18:00 − Montag 25-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge, version 88 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 88! We have reviewed the settings in Microsoft Edge version 88 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 88 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Video: Doc & RTF Malicious Document, (Sun, Jan 24th) ∗∗∗ --------------------------------------------- I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files. --------------------------------------------- https://isc.sans.edu/diary/rss/27022 ∗∗∗ Scanning for Accessible MS-RDPEUDP services ∗∗∗ --------------------------------------------- We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet. --------------------------------------------- https://www.shadowserver.org/news/scanning-for-accessible-ms-rdpeudp-servic… ∗∗∗ RIFT: Analysing a Lazarus Shellcode Execution Method ∗∗∗ --------------------------------------------- After analysing the macro document, and pivoting on the macro, NCC Group’s RIFT identified a number of other similar documents. In these documents we came across an interesting technique being used to execute shellcode from VBA without the use of common “suspicious” APIs, such as VirtualAlloc, WriteProcessMemory or CreateThread – which may be detected by end point protection solutions. Instead, the macro documents abuse “benign” Windows API features toachieve code-execution. --------------------------------------------- https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode… ∗∗∗ Firewall-Hersteller SonicWall untersucht mögliche Zero-Day-Lücken in Produkten ∗∗∗ --------------------------------------------- Angreifer haben bislang unbekannte Lücken in SonicWall-Produkten ausgenutzt, um ins System des Herstellers einzudringen. --------------------------------------------- https://heise.de/-5033933 ∗∗∗ Von niedrig bis kritisch: Schwachstellenbewertung mit CVSS ∗∗∗ --------------------------------------------- Das Common Vulnerability Scoring System hilft bei der Bewertung von Schwachstellen. Wir erklären Funktionsweise und Grenzen des Systems. --------------------------------------------- https://heise.de/-5031983 ∗∗∗ DNSpooq: Wie sehr spukts in Österreich? ∗∗∗ --------------------------------------------- Am 2021-01-19 veröffentlichte JSOF eine Reihe von Schwachstellen in dnsmasq, einer populären DNS-Resolver Software für kleine Netzwerke. Ihr Blogpost dazu fasst diese Lücken unter dem Namen “DNSpooq" zusammen und beschreibt zwei mögliche Angriffsszenarien: ... --------------------------------------------- https://cert.at/de/aktuelles/2021/1/dnspooq-wie-sehr-spukts-in-osterreich ∗∗∗ Rückblick auf das letzte Drittel 2020 ∗∗∗ --------------------------------------------- Vorfälle und Aussendungen: ZeroLogon, Emotet, Microsoft Exchange CVE-2020-0688, Windows Server ohne Support, Ungepatchte Sophos Firewall XG Instanzen, SonicOS DoS und RCE, cit0day Leak, Ein Leak kommt selten allein, ... --------------------------------------------- https://cert.at/de/blog/2021/1/ruckblick-auf-das-letzte-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry Powered by Android Security Bulletin - January 2021 ∗∗∗ --------------------------------------------- This advisory is in response to the Android Security Bulletin (January 2021) and addresses issues in that Security Bulletin that affect BlackBerry powered by Android smartphones. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (ImageMagick, hawk2, mutt, permissions, stunnel) and Ubuntu (pound). --------------------------------------------- https://lwn.net/Articles/843855/ ∗∗∗ Cisco DNA Center Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Synology-SA-21:01 DNSpooq ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2021
by Daily end-of-shift report 22 Jan '21

22 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-01-2021 18:00 − Freitag 22-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd) ∗∗∗ --------------------------------------------- When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the .jnlp extension. --------------------------------------------- https://isc.sans.edu/diary/rss/27018 ∗∗∗ Magento PHP Injection Loads JavaScript Skimmer ∗∗∗ --------------------------------------------- A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files. --------------------------------------------- https://blog.sucuri.net/2021/01/magento-php-injection-loads-javascript-skim… ∗∗∗ Project Zero: Windows Exploitation Tricks: Trapping Virtual Memory Access ∗∗∗ --------------------------------------------- This blog is a continuation of my series of Windows exploitation tricks. This one describes an exploitation trick I’ve been trying to develop for years, succeeding (mostly, more on that later) on the latest versions of Windows 10. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/windows-exploitation-tricks-… ∗∗∗ Crypto-Miner Dovecat hat es auf Netz-Speicher von Qnap und Synology abgesehen ∗∗∗ --------------------------------------------- Aktuelle Sicherheitshinweise sollen Netzwerkspeicher (NAS) von Qnap und Synology schützen. --------------------------------------------- https://heise.de/-5032679 ∗∗∗ New website launched to document vulnerabilities in malware strains ∗∗∗ --------------------------------------------- Launched by security researcher John Page, the new MalVuln website lists bugs in malware code. --------------------------------------------- https://www.zdnet.com/article/new-website-launched-to-document-vulnerabilit… ∗∗∗ A look at the NIS 2.0 Recitals ∗∗∗ --------------------------------------------- The EU commission dropped a large cyber security package on December 16th 2020, including a first draft for a new version of the NIS Directive. In front of the actual normative legal text, there are 84 recitals, describing the intents of the regulation. --------------------------------------------- https://cert.at/en/blog/2021/1/nis2-recitals-feedback ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 ∗∗∗ --------------------------------------------- Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN38248512/ ∗∗∗ Mehrere Schwachstellen in Selea CarPlateServern und Selea Targa IP OCR-ANPR Kameras ∗∗∗ --------------------------------------------- Zeroscience hat diverse Schwachstellen in zwei Produkten der Firma Selea gefunden. Bei beiden wurden unter anderem Möglichkeiten gefunden, fremden Code auszuführen. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ 0day in Windows 7 and Server 2008 R2 Gets a Micropatch ∗∗∗ --------------------------------------------- Update 1/22/2021: This vulnerability did not get patched by December 2020 or January 2021 Extended Security Updates, so we ported our micropatch to these updates. --------------------------------------------- https://blog.0patch.com/2020/11/0day-in-windows-7-and-server-2008-r2.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack). --------------------------------------------- https://lwn.net/Articles/843571/ ∗∗∗ Windows RDP servers are being abused to amplify DDoS attacks ∗∗∗ --------------------------------------------- Windows RDP servers running on UDP port 3389 can be ensnared in DDoS botnets and abused to bounce and amplify junk traffic towards victim networks. --------------------------------------------- https://www.zdnet.com/article/windows-rdp-servers-are-being-abused-to-ampli… ∗∗∗ Delta Electronics ISPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use After Free vulnerability in Delta Electronics ISPSoft PLC program development tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-01 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, and Out-of-bounds Write vulnerabilities in Delta Electronics TPEditor programming software for Delta text panels. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-02 ∗∗∗ Honeywell OPC UA Tunneller ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Out-of-bounds Read, Improper Check for Unusual or Exceptional Conditions, and Uncontrolled Resource Consumption vulnerabilities in Honeywells OPC UA Tunneller software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03 ∗∗∗ Mitsubishi Electric MELFA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electrics MELFA robot controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-04 ∗∗∗ WAGO M&M Software fdtCONTAINER ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in the M&M (a WAGO subsidiary) fdtCONTAINER application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to a denial of service attack (CVE-2020-4766) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects GCM16 & GCM32 KVM Switch Firmware (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple Mozilla Firefox vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Security Vulnerability in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2021
by Daily end-of-shift report 21 Jan '21

21 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-01-2021 18:00 − Donnerstag 21-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop ∗∗∗ --------------------------------------------- One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for? --------------------------------------------- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solor… ∗∗∗ Powershell Dropping a REvil Ransomware, (Thu, Jan 21st) ∗∗∗ --------------------------------------------- I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. --------------------------------------------- https://isc.sans.edu/diary/rss/27012 ∗∗∗ Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw ∗∗∗ --------------------------------------------- A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020. --------------------------------------------- https://www.securityweek.com/scanning-activity-detected-after-release-explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/843413/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are affected by vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser (CVE-2018-1311) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in gencore affects AIX (CVE-2020-4887) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gencore-… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in Google Guava affects WebSphere Service Registry and Repository (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-g… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4969) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Rational Test Control Panel affected by Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-test-control-pan… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4958) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ XSA-360 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-360.html ∗∗∗ Drupal: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0081 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2021
by Daily end-of-shift report 20 Jan '21

20 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-01-2021 18:00 − Mittwoch 20-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Qakbot activity resumes after holiday break, (Wed, Jan 20th) ∗∗∗ --------------------------------------------- It had been relatively quiet for Qakbot until Tuesday 2021-01-19, when we started seeing malicious spam (malspam) pushing Qakbot again. --------------------------------------------- https://isc.sans.edu/diary/rss/27008 ∗∗∗ Google Poject Zero: The State of State Machines ∗∗∗ --------------------------------------------- On January 29, 2019, a serious vulnerability was discovered in Group FaceTime. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.… ∗∗∗ Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments ∗∗∗ --------------------------------------------- A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-target… ∗∗∗ Abuse.ch URLhaus als neue Datenquelle für unsere Aussendungen aufgenommen ∗∗∗ --------------------------------------------- Seit Mittwoch, 13. Jänner 2020 senden wir die Daten der URLhaus Feeds des abuse.ch-Projekts in unseren regelmäßigen Benachrichtigungen an Netzbetreiber aus. Die Feeds umfassen URLs, die Malwaredateien diverser Schadsoftwarefamilien hosten. --------------------------------------------- https://cert.at/de/blog/2021/1/abusech-urlhaus-als-neue-datenquelle-fur-uns… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 329 new security patches. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2021.html ∗∗∗ Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 ∗∗∗ --------------------------------------------- In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-harden… ∗∗∗ Cisco Security Advisories 2021-01-20 ∗∗∗ --------------------------------------------- 4 Critical, 9 High, 18 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Rechteausweitung: Kritische Lücke in älteren iOS- und macOS-Versionen ∗∗∗ --------------------------------------------- Der Bug in Apples XPC-Schnittstelle lässt sich ausnutzen, um erweiterte Rechte zu erlangen, warnt ein Sicherheitsforscher. --------------------------------------------- https://heise.de/-5030842 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (coturn, dovecot, glibc, and sudo), Mageia (openldap and resource-agents), openSUSE (dnsmasq, python-jupyter_notebook, viewvc, and vlc), Oracle (dnsmasq and xstream), SUSE (perl-Convert-ASN1, postgresql, postgresql13, and xstream), and Ubuntu (nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, pillow, pyxdg, and thunderbird). --------------------------------------------- https://lwn.net/Articles/843255/ ∗∗∗ Two Vulnerabilities in Bosch Fire Monitoring System (FSM) ∗∗∗ --------------------------------------------- BOSCH-SA-332072-BT: Two vulnerabilties have been discovered affecting the Bosch Fire Monitoring System (FSM-2500 and FSM-5000). The critical issue applies to FSM systems with versions 5.2 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-332072-bt.html ∗∗∗ Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Inconsistent Interpretation of HTTP Requests Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210120-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210120-… ∗∗∗ Intel Ethernet 700 Series Controllers vulnerabilities CVE-2020-8690, CVE-2020-8691, CVE-2020-8692, and CVE-2020-8693 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28563873 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0057 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2021
by Daily end-of-shift report 19 Jan '21

19 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-01-2021 18:00 − Dienstag 19-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Linux Devices Under Attack by New FreakOut Malware ∗∗∗ --------------------------------------------- The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks. --------------------------------------------- https://threatpost.com/linux-attack-freakout-malware/163137/ ∗∗∗ Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims networks—which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks. --------------------------------------------- https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html ∗∗∗ Jetzt neues Passwort vergeben! OpenWrt-Forum gehackt ∗∗∗ --------------------------------------------- Angreifer konnten auf Nutzerdaten des OpenWrt-Forums zugreifen. Dort tauschen sich Nutzer des alternativen Betriebssystems u.a. für Router aus. --------------------------------------------- https://heise.de/-5028697 ∗∗∗ Three Word Passwords ∗∗∗ --------------------------------------------- The National Cyber Security Centre (NCSC) have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords? --------------------------------------------- https://www.pentestpartners.com/security-blog/three-word-passwords/ ∗∗∗ All That for a Coinminer? ∗∗∗ --------------------------------------------- A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets ... --------------------------------------------- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/ ===================== = Vulnerabilities = ===================== ∗∗∗ DNSpooq: Mehrere Sicherheitslücken in Dnsmasq ∗∗∗ --------------------------------------------- Die IT-Sicherheitsfirma JSOF berichtet über mehrere Sicherheitslücken in der DNS-Serversoftware Dnsmasq, die sie DNSpooq genannt hat. Dabei handelt es sich um zwei zunächst völlig unterschiedliche Klassen von Problemen: Buffer Overflows in der Verarbeitung von DNSSEC-Records und einen unzureichenden Schutz vor DNS-Spoofing-Angriffen. ... Dnsmasq hat die entsprechenden Lücken in Version 2.83 geschlossen. Doch in vielen Fällen dürfte es schwer sein, Updates zu installieren. Dnsmasq wird sehr häufig in Embedded-Geräten und auch auf Android-Telefonen eingesetzt - also auf den Geräten, für die es häufig keine regelmäßigen Sicherheitsupdates gibt. Die Webseite von DNSpooq listet eine ganze Reihe von betroffenen Herstellern sowie deren Security-Advisories auf, die Liste dürfte aber unvollständig sein. --------------------------------------------- https://www.golem.de/news/dnspooq-mehrere-sicherheitsluecken-in-dnsmasq-210… ∗∗∗ Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Universal Plug and Play (UPnP) service and the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow a remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has not released software updates that address these vulnerabilities. There are no workarounds --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow). --------------------------------------------- https://lwn.net/Articles/843142/ ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Confluence ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0052 ∗∗∗ Philips Interventional Workstations ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01 ∗∗∗ Reolink P2P Cameras ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-019-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2021
by Daily end-of-shift report 18 Jan '21

18 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-01-2021 18:00 − Montag 18-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Antivirus: Das Jahr der unsicheren Sicherheitssoftware ∗∗∗ --------------------------------------------- Sicherheitssoftware soll uns eigentlich schützen, doch das vergangene Jahr hat erneut gezeigt: Statt Schutz gibt es Sicherheitsprobleme frei Haus. --------------------------------------------- https://www.golem.de/news/antivirus-das-jahr-der-unsicheren-sicherheitssoft… ∗∗∗ Medical Device Security: Diagnosis Critical ∗∗∗ --------------------------------------------- Medical-device security has long been a challenge, suffering the same uphill management battle that the entire sprawling mess of IoT gadgets has faced. --------------------------------------------- https://threatpost.com/medical-device-security/163127/ ∗∗∗ Obfuscated DNS Queries, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- This week I started seeing some URL with /dns-query?dns in my honeypot. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve. --------------------------------------------- https://isc.sans.edu/diary/rss/26992 ∗∗∗ New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th) ∗∗∗ --------------------------------------------- Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity. --------------------------------------------- https://isc.sans.edu/diary/rss/26994 ∗∗∗ Doc & RTF Malicious Document, (Mon, Jan 18th) ∗∗∗ --------------------------------------------- A reader pointed us to a malicious Word document. --------------------------------------------- https://isc.sans.edu/diary/rss/26996 ∗∗∗ NSA Releases Guidance on Encrypted DNS in Enterprise Environments ∗∗∗ --------------------------------------------- Original release date: January 15, 2021The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/nsa-releases-guid… ∗∗∗ Skimming: Schaden durch Datenklau an Geldautomaten auf Rekordtief ∗∗∗ --------------------------------------------- Experten halten den Datenklau an Geldautomaten in Deutschland für ein Auslaufmodell. Sowohl Zahl der Angriffe als auch Schäden sanken 2020 auf Rekordtief. --------------------------------------------- https://heise.de/-5026975 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-072: NETGEAR R7450 SOAP API RecoverAdminPassword Improper Access Control Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-072/ ∗∗∗ ZDI-21-071: NETGEAR R7450 Password Recovery External Control of Critical State Data Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-071/ ∗∗∗ ZDI-21-070: Apple macOS CoreGraphics Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-070/ ∗∗∗ ZDI-21-069: Apple macOS process_token_BlitLibSetup2D Out-Of-Bounds Write Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-069/ ∗∗∗ Kritische Admin-Lücke in Wordpress-Plug-in Orbit Fox ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das Wordpress-Plug-in Orbit Fox. --------------------------------------------- https://heise.de/-5027252 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flatpak, ruby-redcarpet, and wavpack), Fedora (dia, mingw-openjpeg2, and openjpeg2), Mageia (awstats, bison, cairo, kernel, kernel-linus, krb5, nvidia-current, nvidia390, php, and thunderbird), openSUSE (cobbler, firefox, kernel, libzypp, zypper, nodejs10, nodejs12, and nodejs14), Scientific Linux (thunderbird), Slackware (wavpack), SUSE (kernel, nodejs8, open-iscsi, openldap2, php7, php72, php74, slurm_20_02, and thunderbird), and Ubuntu (ampache,[...] --------------------------------------------- https://lwn.net/Articles/842834/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit,[...] --------------------------------------------- https://lwn.net/Articles/843054/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11 (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Websphere Hibernate Validator Vulnerability Affects IBM Control Center (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-hibernate-valid… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: Apache ActiveMQ Vulnerability Affects IBM Control Center (CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-activemq-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2021
by Daily end-of-shift report 15 Jan '21

15 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-01-2021 18:00 − Freitag 15-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ErpresserInnen kennen Ihre persönlichen Daten? Nicht einschüchtern lassen! ∗∗∗ --------------------------------------------- Immer wieder werden uns erpresserische E-Mails gemeldet, in denen persönliche Daten der Betroffenen genannt werden. Aktuell ist eine Erpressungsmail im Umlauf, in der die Kriminellen vorgeben einiges über die EmpfängerInnen zu wissen. Als Beweis geben sie die Adresse und die Telefonnummer an. Auch wenn dieses Wissen verunsichert, sollten Sie sich nicht einschüchtern lassen und die Forderungen der ErpresserInnen ignorieren. --------------------------------------------- https://www.watchlist-internet.at/news/erpresserinnen-kennen-ihre-persoenli… ∗∗∗ Hunting for Bugs in Windows Mini-Filter Drivers ∗∗∗ --------------------------------------------- In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers (CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17139). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I’ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-… ∗∗∗ Cyber Security advice for Finance staff ∗∗∗ --------------------------------------------- Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and finance training and education. When I [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-advice-for-fin… ∗∗∗ Throwback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26990 ===================== = Vulnerabilities = ===================== ∗∗∗ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 ∗∗∗ --------------------------------------------- Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/01/14/netlogon-domain-controller-e… ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/apache-releases-s… ∗∗∗ ZDI-21-068: Panasonic Control FPWIN Pro Project File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panasonic Control FPWIN Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-068/ ∗∗∗ Mitsubishi Electric Factory Automation Products Path Traversal (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-20-212-03 Mitsubishi Electric Factory Automation Products Path Traversal that was published July 30, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Path Traversal vulnerability in Mitsubishi Electric Factory Automation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-03 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update A) that was published November 5, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Unquoted Search Path or Element vulnerability in Mitsubishi Electric Factory Automation Engineering products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Malicious file upload and download could affect Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-malicious-file-upload-and… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerability in Google Web Toolkit may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2012-5920 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily