Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - 03.11.2021
by Daily end-of-shift report 03 Nov '21

03 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-11-2021 18:00 − Mittwoch 03-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions ∗∗∗ --------------------------------------------- This article provides an overview of what the App Sandbox is and the vulnerability details as disclosed to Apple. --------------------------------------------- https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassin… ∗∗∗ Ransomware: "BlackMatter"-Gang will aufhören – mal wieder ∗∗∗ --------------------------------------------- Druck von Ermittlern veranlasst BlackMatter zum Aufhören. Ein endgültiger Abschied der alten Hasen aus dem Erpresser-Business scheint aber eher fraglich. --------------------------------------------- https://heise.de/-6247924 ∗∗∗ Sicherheitsforscher warnen vor zehntausenden verwundbaren GitLab-Servern ∗∗∗ --------------------------------------------- Obwohl es bereits mehrere Monate Sicherheitspatches für eine kritische Lücke gibt, sind einem Bericht zufolge immer noch viele GitLab-Server angreifbar. --------------------------------------------- https://heise.de/-6249588 ∗∗∗ This Steam phish baits you with free Discord Nitro ∗∗∗ --------------------------------------------- Theres another scam making rounds on Discord. And its cleverly phishing for Steam credentials. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-ba… ∗∗∗ Kleinanzeigenbetrug mit angeblichem Post-Kurier boomt! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen wenden sich derzeit an uns, da Kriminelle eine gefälschte Webseite der Post für Kleinanzeigenbetrug verwenden. Dabei suchen die BetrügerInnen auf Willhaben, Ebay, Shpock und Co. nach teuren Angeboten und erklären den VerkäuferInnen, dass der Kauf über einen Kurierdienst der Post abgewickelt werden soll. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-angeblichem-… ∗∗∗ Almost half of rootkits are used for cyberattacks against government organizations ∗∗∗ --------------------------------------------- On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage. --------------------------------------------- https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-go… ∗∗∗ "Trojan Source": Was ist da dran? ∗∗∗ --------------------------------------------- An sich schätze ich Brian Krebs, er schreibt wirklich gute Artikel, aber bei ‘Trojan Source’ Bug Threatens the Security of All Code hat er etwas übertrieben. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/trojan-source-was-ist-da-dran ∗∗∗ CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 16 Security Advisories veröffentlicht. Zwei davon werden als "Critical" eingestuft, zwei als "High", und zwölf als "Medium". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Patchday: Angreifer attackieren gezielt Android-Geräte ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Eine Lücke im Kernel nutzen Angreifer derzeit aus. --------------------------------------------- https://heise.de/-6247997 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak). --------------------------------------------- https://lwn.net/Articles/874980/ ∗∗∗ ZDI-21-1277: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1277/ ∗∗∗ ZDI-21-1276: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1276/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211103-… ∗∗∗ Security Bulletin: Vulnerabilities in HAProxy Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-haprox… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/ ∗∗∗ Red Hat Integration - Service Registry: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1143 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2021
by Daily end-of-shift report 02 Nov '21

02 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-10-2021 18:00 − Dienstag 02-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trojan Source: Programmiersprachen lassen sich per Unicode trojanisieren ∗∗∗ --------------------------------------------- Ein Forschungsteam zeigt systematisch, wie sich mit Unicode-Tricks Code manipulieren lässt. Open-Source-Communitys und die IT-Industrie reagieren. --------------------------------------------- https://www.golem.de/news/trojan-source-programmiersprachen-lassen-sich-per… ∗∗∗ BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool ∗∗∗ --------------------------------------------- The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports. --------------------------------------------- https://www.securityweek.com/blackmatter-ransomware-operators-develop-custo… ∗∗∗ FBI Publishes IOCs for Hello Kitty Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has published a flash alert to share details on the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the Hello Kitty ransomware, which is also known as FiveHands. --------------------------------------------- https://www.securityweek.com/fbi-publishes-iocs-hello-kitty-ransomware ∗∗∗ Webseiten-BetreiberInnen aufgepasst: Gefälschte E-Mails von WORLD4YOU im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan betrügerische E-Mails im Namen von Wordl4You. In den betrügerischen E-Mails wird behauptet, dass die Domain gesperrt wurde, abgelaufen ist oder verlängert werden muss. --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ EU Digital Green Certificate: Was gilt eigentlich bei uns? ∗∗∗ --------------------------------------------- Nachdem der digitale grüne Pass gerade in den Medien ist, und ich für den Standard den Erklärbären mache, will ich hier ein paar technische Informationen dokumentieren, die für einen Zeitungsartikel dann doch zu technisch sind. --------------------------------------------- https://cert.at/de/blog/2021/10/eu-digital-green-certificate-was-gilt-eigen… ∗∗∗ Shodan Verified Vulns 2021-11-01 ∗∗∗ --------------------------------------------- Das "Cyber-Security-Month" Oktober ist vorbei, aber, wie ein Blick in unsere Shodan-Daten vom 2021-11-01 verrät, hatte es keinen direkt sichtbaren Effekt: Die Veränderungen zu Anfang Oktober sind überschaubar. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/shodan-verified-vulns-2021-11-01 ∗∗∗ From Zero to Domain Admin ∗∗∗ --------------------------------------------- This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. --------------------------------------------- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ Android November patch fixes actively exploited kernel bug ∗∗∗ --------------------------------------------- Google has released the Android November 2021 security updates, which address 18 vulnerabilities in the framework and system components, and 18 more flaws in the kernel and vendor components. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-november-patch-fixes… ∗∗∗ Alert! Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild ∗∗∗ --------------------------------------------- A now-patched critical remote code execution (RCE) vulnerability in GitLabs web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks. --------------------------------------------- https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Tivoli Composite Application Manager for Transactions, InfoSphere Information Server, InfoSphere DataStage Flow Designer, API Connect, Application Discovery and Delivery Intelligence, MessageGateway, PowerSC. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Firefox-Updates schließen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- Die Entwickler der Mozilla Foundation haben im Webbrowser Firefox mehr als ein Dutzend Sicherheitslücken gestopft. --------------------------------------------- https://heise.de/-6245344 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, webkit2gtk). --------------------------------------------- https://lwn.net/Articles/874623/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman). --------------------------------------------- https://lwn.net/Articles/874818/ ∗∗∗ Kaspersky Patches Vulnerability That Can Lead to Unbootable System ∗∗∗ --------------------------------------------- Kaspersky published two advisories on Monday to warn customers about a vulnerability that can lead to unbootable systems and a phishing campaign involving messages sent from a Kaspersky email address. --------------------------------------------- https://www.securityweek.com/kaspersky-patches-vulnerability-can-lead-unboo… ∗∗∗ November 1, 2021 TNS-2021-18 [R1] Nessus 10.0.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-18 ∗∗∗ Synology-SA-21:27 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_27 ∗∗∗ Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-306-01 ∗∗∗ WECON PI Studio (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2021
by Daily end-of-shift report 29 Oct '21

29 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-10-2021 18:00 − Freitag 29-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte ∗∗∗ --------------------------------------------- Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten. --------------------------------------------- https://heise.de/-6236592 ∗∗∗ Betrügerische Mails und SMS im Namen der Volksbank im Umlauf! ∗∗∗ --------------------------------------------- Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-name… ∗∗∗ SEO Poisoning Used to Distribute Ransomware ∗∗∗ --------------------------------------------- This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say. --------------------------------------------- https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribu… ∗∗∗ Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App ∗∗∗ --------------------------------------------- Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency. --------------------------------------------- https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/ ∗∗∗ Pink, a botnet that competed with the vendor to control the massive infected devices ∗∗∗ --------------------------------------------- Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...] --------------------------------------------- https://blog.netlab.360.com/pink-en/ ∗∗∗ This New Android Malware Can Gain Root Access to Your Smartphones ∗∗∗ --------------------------------------------- An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. --------------------------------------------- https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.ht… ∗∗∗ Update your OptinMonster WordPress plugin immediately ∗∗∗ --------------------------------------------- We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-y… ∗∗∗ Network Scanning Traffic Observed in Public Clouds ∗∗∗ --------------------------------------------- Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/ ∗∗∗ NSA-CISA Series on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-s… ===================== = Vulnerabilities = ===================== ∗∗∗ All Windows versions impacted by new LPE zero-day vulnerability ∗∗∗ --------------------------------------------- A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/all-windows-versions-impacte… ∗∗∗ Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X ∗∗∗ --------------------------------------------- CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN69304877/ ∗∗∗ Shrootless: Microsoft finds Apple macOS vulnerability ∗∗∗ --------------------------------------------- Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootle… ∗∗∗ XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites ∗∗∗ --------------------------------------------- On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations. --------------------------------------------- https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-soc… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/874354/ ∗∗∗ Sensormatic Electronics victor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01 ∗∗∗ Delta Electronics DOPSoft (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04 ∗∗∗ GoCD Authentication Vulnerability ∗∗∗ --------------------------------------------- GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authenticati… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: RCE Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: ZipSlip Vulnerability in Automation Studio Project Import ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: DLL Hijacking Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60553023/ ∗∗∗ ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1273/ ∗∗∗ ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1272/ ∗∗∗ ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1271/ ∗∗∗ ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1270/ ∗∗∗ ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1275/ ∗∗∗ ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1274/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2021
by Daily end-of-shift report 28 Oct '21

28 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-10-2021 18:00 − Donnerstag 28-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ QR Codes Help Attackers Sneak Emails Past Security Controls ∗∗∗ --------------------------------------------- A recently discovered campaign shows how attackers are constantly developing new techniques to deceive phishing victims. --------------------------------------------- https://www.darkreading.com/attacks-breaches/qr-codes-help-attackers-sneak-… ∗∗∗ How we took part in MLSEC and (almost) won ∗∗∗ --------------------------------------------- How we took part in the Machine Learning Security Evasion Competition (MLSEC) — a series of trials testing contestants’ ability to create and attack machine learning models. --------------------------------------------- https://securelist.com/how-we-took-part-in-mlsec-and-almost-won/104699/ ∗∗∗ EU’s Green Pass Vaccination ID Private Key Leaked ∗∗∗ --------------------------------------------- The private key used to sign the vaccine passports was leaked and is being passed around to create fake passes for the likes of Mickey Mouse and Adolf Hitler. --------------------------------------------- https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175… ∗∗∗ New Wslink Malware Loader Runs as a Server and Executes Modules in Memory ∗∗∗ --------------------------------------------- Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed "Wslink" by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. --------------------------------------------- https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html ∗∗∗ Threat profile: Ranzy Locker ransomware ∗∗∗ --------------------------------------------- What you need to know about Ranzy Locker ransomware. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/10/threat-profile-ranzy-locke… ∗∗∗ PSA: Widespread Remote Working Scam Underway ∗∗∗ --------------------------------------------- Attackers are posting jobs pretending to be from existing companies and steal money and/or personal information from jobseekers. --------------------------------------------- https://www.wordfence.com/blog/2021/10/psa-widespread-remote-working-scam-u… ∗∗∗ Trends und Entwicklungen bei Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops gibt es wie Sand am Meer - und auch sie entwickeln sich nach Trends: Von E-Bikes bis zur Playstation5. Diese Trends sind von der Saison, aber auch von Angebot und Nachfrage abhängig. Was die Watchlist Internet im letzten Jahr über Fake-Shop-Trends erfahren hat, lesen Sie hier. --------------------------------------------- https://www.watchlist-internet.at/news/trends-und-entwicklungen-bei-fake-sh… ∗∗∗ Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains ∗∗∗ --------------------------------------------- Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile. --------------------------------------------- https://therecord.media/free-decrypters-released-for-atomsilo-babuk-and-loc… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 19 Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, neun als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/874210/ ∗∗∗ 2021 CWE Most Important Hardware Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List. The 2021 Hardware List is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in hardware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/2021-cwe-most-imp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2021
by Daily end-of-shift report 27 Oct '21

27 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-10-2021 18:00 − Mittwoch 27-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Babuk ransomware decryptor released to recover files for free ∗∗∗ --------------------------------------------- Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-r… ∗∗∗ Vorsicht: Neue Betrugswelle mit vermeintlichen DHL-SMS ∗∗∗ --------------------------------------------- Wieder sind betrügerische SMS zu Paketlieferungen im Umlauf. Ziel ist es, eine Schadsoftware aufs Handy zu bringen. --------------------------------------------- https://futurezone.at/digital-life/betrug-dhl-sms-phishing-ausstehendes-pak… ∗∗∗ Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads ∗∗∗ --------------------------------------------- UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service. --------------------------------------------- https://threatpost.com/android-scammed-sms-fraud-tik-tok/175739/ ∗∗∗ Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users ∗∗∗ --------------------------------------------- The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet. --------------------------------------------- https://threatpost.com/mozilla-firefox-blocks-malicious-add-ons-installed-b… ∗∗∗ Conti Ransom Gang Starts Selling Access to Victims ∗∗∗ --------------------------------------------- The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Contis malware who refuse to negotiate a ransom payment are added to Contis victim shaming blog, where confidential files stolen from victims may be published or sold. --------------------------------------------- https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access… ∗∗∗ „Hallo Mama“ - Vorsicht vor Betrug über WhatsApp! ∗∗∗ --------------------------------------------- Aktuell versuchen BetrügerInnen über WhatsApp an das Geld von potentiellen Opfern zu kommen. Dafür geben Sie sich in einer Nachricht als Tochter oder Sohn der EmpfängerInnen aus und fordern die Überweisung von mehreren tausend Euro. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-vorsicht-vor-betrug-ueber… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Erneute Sicherheitslücke im Plugin Ninja Forms ∗∗∗ --------------------------------------------- Das beliebte Formular-Framework ist erneut von einer Sicherheitslücke betroffen. Das WordPress-Plugin ist auf mehr als einer Million Webseiten aktiv. --------------------------------------------- https://heise.de/-6229249 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/874045/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp). --------------------------------------------- https://lwn.net/Articles/874143/ ∗∗∗ Belden Security Bulletin – BSECV-2020-03: Potential denial of service vulnerability in PROFINET Devices via DCE-RPC Packets ∗∗∗ --------------------------------------------- A vulnerability in the PROFINET stack implementation in Classic Firmware, HiOS, and HiLCOS could lead to a denial of service via an out of memory condition. --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=13688&mediaformat… ∗∗∗ Security Bulletin: A vulnerability exists in the restricted shell of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software – September 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Openstack Compute (Nova) noVNC proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openstack-compute-nova-no… ∗∗∗ Security Bulletin: Insufficient session expiration in IBM i2 iBase ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-session-expi… ∗∗∗ Grafana vulnerability CVE-2021-39226 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22322802 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1114 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1121 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-299-01 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/adobe-releases-se… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/apple-releases-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2021
by Daily end-of-shift report 25 Oct '21

25 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-10-2021 18:00 − Montag 25-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA Urges Sites to Patch Critical RCE in Discourse ∗∗∗ --------------------------------------------- The patch, urgently rushed out on Friday, is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central. --------------------------------------------- https://threatpost.com/cisa-critical-rce-discourse/175705/ ∗∗∗ Schadcode in weit verbreiteter JavaScript-Bibliothek UAParser.js entdeckt ∗∗∗ --------------------------------------------- Angreifer haben die JavaScript-Bibliothek UAParser.js mit Schadcode versehen, der auf betroffenen Rechnern Kryptogeld-Miner installiert. --------------------------------------------- https://heise.de/-6226975 ∗∗∗ Ransomware BlackMatter: Forscher bieten Gratis-Decryption für einige Varianten ∗∗∗ --------------------------------------------- Wer in den letzten Monaten eine Erpresserbotschaft der "BlackMatter"-Gang auf seinen Systemen entdeckt hat, kann jetzt auf Hilfe hoffen. --------------------------------------------- https://heise.de/-6227925 ∗∗∗ Betrügerische Smartphone-Ortungsdienste ∗∗∗ --------------------------------------------- Sie haben Ihr Handy verloren – was nun? Eine Google-Suche nach „Handyortung“ ergibt über 1,5 Millionen Treffer. Apps und Services zur Handyortung erfreuen sich großer Beliebtheit. Doch Vorsicht vor „gratis“ Ortungs-Apps wie www.locating.mobi, www.geolite.mobi, www.goandfind.online. Diese führen in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-smartphone-ortungsdie… ∗∗∗ Bericht: Ransomware-Gruppe REvil durch koordinierte Aktion mehrerer Staaten zerschlagen ∗∗∗ --------------------------------------------- An der Aktion sind unter anderem die USA beteiligt. In Sicherheitskreisen ist die Aktion wohl schon seit mehreren Tagen bekannt. --------------------------------------------- https://www.zdnet.de/88397355/bericht-ransomware-gruppe-revil-durch-koordin… ∗∗∗ DDoS attacks hit multiple email providers ∗∗∗ --------------------------------------------- At least six email service providers have been hit by large distributed denial of service (DDoS) attacks on Friday, resulting in prolonged outages, The Record has learned. --------------------------------------------- https://therecord.media/ddos-attacks-hit-multiple-email-providers/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt ∗∗∗ JSA11236 ∗∗∗ --------------------------------------------- 2021-10 Security Bulletin: Junos OS: QFX5000 Series: Traffic from the network internal to the device (128.0.0.0) may be forwarded to egress interfaces (CVE-2021-31371) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11236 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/873965/ ∗∗∗ Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1107 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1109 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2021
by Daily end-of-shift report 22 Oct '21

22 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-10-2021 18:00 − Freitag 22-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Evil Corp demands $40 million in new Macaw ransomware attacks ∗∗∗ --------------------------------------------- Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million… ∗∗∗ Hacking gang creates fake firm to hire pentesters for ransomware attacks ∗∗∗ --------------------------------------------- The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-gang-creates-fake-fi… ∗∗∗ Using Kerberos for Authentication Relay Attacks ∗∗∗ --------------------------------------------- This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentic… ∗∗∗ Windows Exploitation Tricks: Relaying DCOM Authentication ∗∗∗ --------------------------------------------- In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-… ∗∗∗ GPS Daemon (GPSD) Rollover Bug ∗∗∗ --------------------------------------------- Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-r… ∗∗∗ CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader ∗∗∗ --------------------------------------------- Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause. --------------------------------------------- https://www.thezdi.com/blog/2021/10/20/cve-2021-28632-amp-cve-2021-39840-by… ∗∗∗ ASEC Weekly Malware Statistics (October 11th, 2021 – October 17th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 11th, 2021 (Monday) to October 17th, 2021 (Sunday). For the main category, info-stealer ranked top with 58.2%, followed by Downloader with 24.6%, RAT (Remote Administration Tool) malware with 7.4%, Backdoor malware with 4.7%, Ransomware with 4.1%, and Banking malware with 0.9%. --------------------------------------------- https://asec.ahnlab.com/en/28007/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN Security Bug Allows Root Code Execution ∗∗∗ --------------------------------------------- The high-severity bug, tracked as CVE-2021-1529, is an OS command-injection flaw. --------------------------------------------- https://threatpost.com/cisco-sd-wan-bug-code-execution-root/175669/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman). --------------------------------------------- https://lwn.net/Articles/873746/ ∗∗∗ Pulse Secure Pulse Connect Secure: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1103 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1105 ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2021-32028) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow – CVE-2021-29835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2021
by Daily end-of-shift report 21 Oct '21

21 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-10-2021 18:00 − Donnerstag 21-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Cybercrime matures as hackers are forced to work smarter ∗∗∗ --------------------------------------------- An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hacker… ∗∗∗ Franken-phish: TodayZoo built from other phishing kits ∗∗∗ --------------------------------------------- A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-b… ∗∗∗ "Stolen Images Evidence" campaign pushes Sliver-based malware, (Thu, Oct 21st) ∗∗∗ --------------------------------------------- On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver. Sliver is a framework used by red teams for adversary simluation and penetration testing. --------------------------------------------- https://isc.sans.edu/diary/rss/27954 ∗∗∗ Die Rückkehr der Rootkits – signiert von Microsoft ∗∗∗ --------------------------------------------- Forscher haben in den vergangenen Monaten verstärkt die vermeintlich ausgestorbenen Kernelschadprogramme wiederentdeckt. Eingeschleust werden sie heute anders. --------------------------------------------- https://heise.de/-6224944 ∗∗∗ Innovation aus Österreich: Fake-Shop Detector entlarvt Online-Betrüger ∗∗∗ --------------------------------------------- Fake-Shops im Internet werden immer zahlreicher und zugleich schwieriger zu erkennen. Unterstützung bietet ab sofort die Beta-Version des Fake-Shop Detectors: Das Tool untersucht im Internet-Browser in Echtzeit, ob es sich um seriöse oder betrügerische Onlineshops handelt und stellt somit ein Best Practice für den Nutzen und die Chancen des Einsatzes von Künstlicher Intelligenz für Konsumentinnen und Konsumenten dar. --------------------------------------------- https://www.watchlist-internet.at/news/innovation-aus-oesterreich-fake-shop… ∗∗∗ Using Discord infrastructure for malicious intent ∗∗∗ --------------------------------------------- Research by: Idan Shechter & Omer Ventura Check Point Research (CPR) spotted a multi-functional malware with the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord There are currently over 150 million monthly active users on Discord Users must be aware that Discord’s bot… --------------------------------------------- https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-mal… ∗∗∗ Google unmasks two-year-old phishing & malware campaign targeting YouTube users ∗∗∗ --------------------------------------------- Almost two years after a wave of complaints flooded Googles support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Googles security team has finally tracked down the root cause of these attacks. --------------------------------------------- https://therecord.media/google-unmasks-two-year-old-phishing-malware-campai… ∗∗∗ Kernel Karnage – Part 1 ∗∗∗ --------------------------------------------- I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); --------------------------------------------- https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlichte 19 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat acht Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, eines als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127 ∗∗∗ --------------------------------------------- Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. --------------------------------------------- https://jira.atlassian.com/browse/JRASERVER-72003 ∗∗∗ WinRAR’s vulnerable trialware: when free software isn’t free ∗∗∗ --------------------------------------------- In this article we discuss a vulnerability in the trial version of WinRAR which has significant consequences for the management of third-party software. This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. --------------------------------------------- https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-softwar… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, --------------------------------------------- https://lwn.net/Articles/873601/ ∗∗∗ B. Braun Infusomat Space Large Volume Pump ∗∗∗ --------------------------------------------- This advisory contains mitigation for Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation vulnerabilities in the B. Braun Infusomat Space Large Volume Pump. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in ICONICS GENESIS64 and Mitsubishi Electric MC Works64 HMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-01 ∗∗∗ Delta Electronics DIALink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Cross-site Scripting, Improper Neutralization of Formula Elements in a CSV File, Cleartext Storage of Sensitive Information, Uncontrolled Search Path Element, and Incorrect Default Permissions vulnerabilities in the Delta Electronics DIALink industrial automation server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 OPC UA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in ICONICS GENESIS64, Mitsubishi Electric MC Works64 third-party OPC Foundation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-03 ∗∗∗ RCE in GridPro Request Management for Windows Azure Pack (CVE-2021-40371) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in GridPro Request Management versions <=2.0.7905 for Windows Azure Pack by GridPro Software. The vulnerability was assigned CVE-2021-40371 by GridPro and in the worst case scenario allows attackers to remotely execute code on the server. --------------------------------------------- https://certitude.consulting/blog/en/rce-in-gridpro-request-management-for-… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei FusionCube Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - CSV Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - Improper Signature Management Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2021
by Daily end-of-shift report 20 Oct '21

20 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-10-2021 18:00 − Mittwoch 20-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ How a simple Linux kernel memory corruption bug can lead to complete system compromise ∗∗∗ --------------------------------------------- This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Busters 4.19.0-13-amd64 kernel. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memo… ∗∗∗ SuDump: Exploiting suid binaries through the kernel ∗∗∗ --------------------------------------------- We will show bugs we found in the Linux kernel that allow unprivileged users to create root-owned core files, and how we were able to use them to get an LPE through the sudo program on machines that have been configured by administrators to allow running a single innocent command. --------------------------------------------- https://alephsecurity.com/2021/10/20/sudump/ ∗∗∗ q-logger skimmer keeps Magecart attacks going ∗∗∗ --------------------------------------------- This case reminds us that web skimming attacks are ongoing even if we dont always hear about them. The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-… ∗∗∗ VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group ∗∗∗ --------------------------------------------- While monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware was installed via AppleSeed remote control malware. --------------------------------------------- https://asec.ahnlab.com/en/27346/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 419 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2021.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi, strongswan). --------------------------------------------- https://lwn.net/Articles/873462/ ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson is vulnerable to cross site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-us… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-se… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specif… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Drupal core (CVE-2021-32610) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects the Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2021-20571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ VMSA-2021-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0024.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-36160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13401920 ∗∗∗ AUVESY Versiondog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 ∗∗∗ Trane HVAC Systems Controls ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2021
by Daily end-of-shift report 19 Oct '21

19 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-10-2021 18:00 − Dienstag 19-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Umfrage: Komplexe IT und Firmenstrukturen gefährden die Cybersicherheit ∗∗∗ --------------------------------------------- Manager in Deutschland erachten unübersichtliche Technologien, Datenbestände, Betriebsumgebungen und Lieferketten als große Einfallstore für Cyberangreifer. --------------------------------------------- https://heise.de/-6222835 ∗∗∗ Sicherheitsforscher: Microsoft-Cloud verteilt zu leichtfertig Malware ∗∗∗ --------------------------------------------- IT-Spezialisten und Insider werfen Microsoft vor, auf ihren Cloud-Diensten gehostete Malware viel zu langsam zu entfernen. --------------------------------------------- https://heise.de/-6222542 ∗∗∗ SMS über eine ausständige Geldstrafe ist Fake ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen erhalten momentan ein SMS, das über ein angeblich ausstehendes Bußgeld informiert. In der Nachricht werden Sie aufgefordert, die Zahlung sofort vorzunehmen, ansonsten drohen rechtliche Schritte. Um die Zahlung zu tätigen, sollte ein Link angeklickt werden. Vorsicht: Diese Benachrichtigung ist nicht echt! Sie werden auf eine gefälschte oesterreich.gv.at-Seite geführt. Kriminelle versuchen dort an Ihre Bankdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sms-ueber-eine-ausstaendige-geldstra… ∗∗∗ Free BlackByte decryptor released, after researchers say they found flaw in ransomware code ∗∗∗ --------------------------------------------- Security experts have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. Thats right - you dont need to pay the ransom. Predictably, the ransomware gang isnt happy. --------------------------------------------- https://grahamcluley.com/free-blackbyte-decryptor-released-after-researcher… ∗∗∗ CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/18/cisa-fbi-and-nsa-… ∗∗∗ LightBasin hacking group breaches 13 global telecoms in two years ∗∗∗ --------------------------------------------- A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-bre… ∗∗∗ Trickbot module descriptions ∗∗∗ --------------------------------------------- In this article we describe the functionality of the Trickbot (aka TrickLoader or Trickster) banking malware modules and provide a tip on how to download and analyze these modules. --------------------------------------------- https://securelist.com/trickbot-module-descriptions/104603/ ∗∗∗ A New Variant of FlawedGrace Spreading Through Mass Email Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria. Enterprise security firm Proofpoint tied the malware campaign with high confidence to TA505, [...] --------------------------------------------- https://thehackernews.com/2021/10/a-new-variant-of-flawedgrace-spreading.ht… ∗∗∗ “Killware”: Is it just as bad as it sounds? ∗∗∗ --------------------------------------------- "Killware," as USA TODAY put it, is the latest cyberthreat thats even eclipsing ransomware. But is it all its hyped up to be? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes Surface Pro 3 TPM bypass with public exploit code ∗∗∗ --------------------------------------------- Microsoft has patched a security feature bypass vulnerability impacting Surface Pro 3 tablets that enables threat actors to introduce malicious devices within enterprise environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-surface-pro… ∗∗∗ Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services ∗∗∗ --------------------------------------------- Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine. Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used [...] --------------------------------------------- https://thehackernews.com/2021/10/squirrel-engine-bug-could-let-attackers.h… ∗∗∗ Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro hat Security Advisories zu acht Schwachstellen veröffentlicht. Die Lücken sind zwischen "Low" und "High" eingestuft. --------------------------------------------- https://success.trendmicro.com/solution/000289229 ∗∗∗ Security Bulletin for Trend Micro Worry-Free Business Security and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Services (SaaS) that resolve several vulnerabilities listed below. --------------------------------------------- https://success.trendmicro.com/solution/000289230 ∗∗∗ RHSA-2021:3759 - Security Advisory ∗∗∗ --------------------------------------------- Red Hat OpenShift Container Platform release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. --------------------------------------------- https://access.redhat.com/errata/RHSA-2021:3759 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could [...] --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan). --------------------------------------------- https://lwn.net/Articles/873307/ ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities (CVE-2020-15168, CVE-2021-29912) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2369 and CVE-2021-2432 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily