Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 07.12.2021
by Daily end-of-shift report 07 Dec '21

07 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 06-12-2021 18:00 − Dienstag 07-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Code-Schmuggel-Sicherheitslücke in Windows nur halbherzig geschlossen ∗∗∗ --------------------------------------------- Eine Lücke in Windows, die bösartige Webseiten zum Ausführen von Schadcode missbrauchen könnte, lässt sich trotz Update noch eingeschränkt missbrauchen. --------------------------------------------- https://heise.de/-6288402 ∗∗∗ Achtung: Jobangebote von „ab-group.info“ & „mctrl-marktforschung.com“ sind Fake ∗∗∗ --------------------------------------------- Homeoffice, flexible Arbeitszeiten, frei wählbare Anstellungsverhältnisse und obendrein gut bezahlt. Das versprechen Marktforschungsagenturen wie „ab-group.info“ & „mctrl-marktforschung.com“. Doch Vorsicht: Dabei handelt es sich um betrügerische Jobangebote. Interessierte übermitteln bei einer Bewerbung persönliche Daten sowie Ausweiskopien an Kriminelle. Im schlimmsten Fall werden im eigenen Namen Bankkonten für Kriminelle eröffnet! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-jobangebote-von-ab-groupinfo… ∗∗∗ STOP Ransomware vaccine released to block encryption ∗∗∗ --------------------------------------------- German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims files after infection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-vaccine-rele… ∗∗∗ Apache Kafka Cloud Clusters Expose Sensitive Data for Large Companies ∗∗∗ --------------------------------------------- The culprit is misconfigured Kafdrop interfaces, used for centralized management of the open-source platform. --------------------------------------------- https://threatpost.com/apache-kafka-cloud-clusters-expose-data/176778/ ∗∗∗ WooCommerce Credit Card Swiper Injected Into Random Plugin Files ∗∗∗ --------------------------------------------- It’s that time of year again! While website owners always need to be on guard, the holidays season is when online scams and credit card theft are most rampant. Administrators of ecommerce websites need to be extra vigilant as this case will demonstrate. --------------------------------------------- https://blog.sucuri.net/2021/12/woocommerce-credit-card-swiper-injected-int… ∗∗∗ Cryptominers arent just a headache – theyre a big neon sign that Bad Things are on your network ∗∗∗ --------------------------------------------- So says Sophos in warning about Tor2Mine Monero malware Cryptominer malware removal is a routine piece of the cybersecurity landscape these days. Yet if criminals are hijacking your compute cycles to mine cryptocurrencies, chances are theres something worse lurking on your network too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/12/07/sophos_tor2m… ∗∗∗ Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm ∗∗∗ --------------------------------------------- Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted. --------------------------------------------- https://blog.fox-it.com/2021/12/07/encryption-does-not-equal-invisibility-d… ∗∗∗ XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit ∗∗∗ --------------------------------------------- In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as "XE Group". Volexity believes that XE Group is likely a Vietnamese-origin criminal threat actor whose intrusions follow an approximate pattern: Compromise of externally facing services via known exploits (e.g., Telerik UI vulnerabilities) Monetization of these compromises through installation of password theft or credit card skimming code for web [...] --------------------------------------------- https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hackin… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer attackieren PC-Management-Software Zoho ManageEngine Desktop Central ∗∗∗ --------------------------------------------- Nur die neusten Versionen schützen die Software. Zoho rät zu zügigen Updates. --------------------------------------------- https://heise.de/-6287937 ∗∗∗ 27 flaws in USB-over-network SDK affect millions of cloud users ∗∗∗ --------------------------------------------- Researchers have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/27-flaws-in-usb-over-network… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nss), Debian (roundcube and runc), openSUSE (aaa_base, brotli, clamav, glib-networking, gmp, go1.16, hiredis, kernel, mozilla-nss, nodejs12, nodejs14, openexr, openssh, php7, python-Babel, ruby2.5, speex, wireshark, and xen), Oracle (kernel and nss), Red Hat (kpatch-patch, nss, rpm, and thunderbird), SUSE (brotli, clamav, glib-networking, gmp, kernel, mariadb, mozilla-nss, nodejs12, nodejs14, openssh, php7, python-Babel, and wireshark), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/877945/ ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1252 ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1251 ∗∗∗ Security Bulletin: Multiple vulnerabilities in Redis affecting the IBM Event Streams UI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Event Streams through Apache Kafka key/password validation (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-even… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-20254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affecting IBM Event Streams (CVE-2021-22960 and CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-12-2021 18:00 − Montag 06-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Is My Site Hacked? 4 Gut Checks ∗∗∗ --------------------------------------------- Today, we’re looking at 4 quick gut check tests you can do to get the answer to the question, “is my site hacked?” --------------------------------------------- https://blog.sucuri.net/2021/12/is-my-site-hacked-4-gut-checks.html ∗∗∗ Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks ∗∗∗ --------------------------------------------- Enterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months. The issue, assigned the identifier CVE-2021-44515, is an authentication bypass vulnerability ... --------------------------------------------- https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html ∗∗∗ Malicious KMSPico Windows Activator Stealing Users Cryptocurrency Wallets ∗∗∗ --------------------------------------------- Users looking to activate Windows without using a digital license or a product key are being targeted by tainted installers to deploy malware designed to plunder credentials and other information in cryptocurrency wallets. The malware, dubbed "CryptBot," is an information stealer capable of obtaining credentials for browsers, cryptocurrency wallets, browser cookies, credit cards, and capturing screenshots from the infected systems. --------------------------------------------- https://thehackernews.com/2021/12/malicious-kmspico-windows-activator.html ∗∗∗ The Importance of Out-of-Band Networks ∗∗∗ --------------------------------------------- Out-of-band (or "OoB") networks are usually dedicated to management tasks. Many security appliances and servers have dedicated management interfaces that are used to set up, control, and monitor the device. A best practice is to connect those management interfaces to a dedicated network that is not directly connected to the network used to carry applications/users data. --------------------------------------------- https://isc.sans.edu/diary/rss/28102 ∗∗∗ Who Is the Network Access Broker ‘Babam’? ∗∗∗ --------------------------------------------- Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in stealing remote access credentials -- such as usernames and passwords needed to remotely connect to the targets network. In this post well look at the clues left behind by "Babam," the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions ... --------------------------------------------- https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam/ ∗∗∗ Emotet’s back and it isn’t wasting any time ∗∗∗ --------------------------------------------- Last month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from the dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity. --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wast… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Small Business 220 Series Smart Switches Link Layer Discovery Protocol Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: - Execute code on the affected device or cause it to reload unexpectedly - Cause LLDP database corruption on the affected device --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2021-12-03 ∗∗∗ --------------------------------------------- IBM Event Streams, IBM Cloud Automation Manager, IBM Data Studio Client, EDB PostreSQL with IBM, EDB Postgres Advanced Server with IBM, IBM Data Management Platform (Enterprise, Standard), IBM QRadar SIEM --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (isync, lib32-nss, nss, opera, and vivaldi), Debian (gerbv and xen), Fedora (autotrace, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, libsndfile, nss, pfstools, php-pecl-imagick, psiconv, q, R-magick, rss-glx, rubygem-rmagick, seamonkey, skopeo, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, vim, vips, and WindowMaker), Mageia (golang, kernel, kernel-linus, mariadb, and vim), openSUSE (aaa_base, python-Pygments, singularity, and tor), Red Hat (nss), Slackware (mozilla), SUSE (aaa_base, kernel, openssh, php74, and xen), and Ubuntu (libmodbus, lrzip, samba, and uriparser). --------------------------------------------- https://lwn.net/Articles/877821/ ∗∗∗ ABB Cyber Security Advisory: OmniCore RobotWare Missing Authentication Vulnerability CVE ID: CVE-2021-22279 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCod… ∗∗∗ F5 K50839343: NGINX ModSecurity WAF vulnerability CVE-2021-42717 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50839343 ∗∗∗ F5 K12705583: OpenSSH vulnerability CVE-2021-41617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12705583 ∗∗∗ Auerswald COMpact Multiple Backdoors ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/ ∗∗∗ Auerswald COMpact Arbitrary File Disclosure ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-006/ ∗∗∗ Auerswald COMpact Privilege Escalation ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-005/ ∗∗∗ Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

-- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2021
by Daily end-of-shift report 03 Dec '21

03 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-12-2021 18:00 − Freitag 03-12-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Key Characteristics of Malicious Domains: Report ∗∗∗ --------------------------------------------- Newer top-level domains and certain hosting providers are frequent sources of malicious content, while newly registered domains and free SSL certificates are not any more likely than average to be risky, new research shows. --------------------------------------------- https://www.darkreading.com/threat-intelligence/research-outs-the-providers… ∗∗∗ Vorsicht: „Neue Weihnachts-Emoji für Whatsapp“ ist eine Falle ∗∗∗ --------------------------------------------- Über eine WhatsApp-Nachricht, die Weihnachts-Emoji verspricht, werden Abo-Fallen und Schadsoftware verbreitet. --------------------------------------------- https://futurezone.at/apps/vorsicht-neue-weihnachts-emoji-fuer-whatsapp-fal… ∗∗∗ The UPX Packer Will Never Die!, (Fri, Dec 3rd) ∗∗∗ --------------------------------------------- Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. --------------------------------------------- https://isc.sans.edu/diary/rss/28096 ∗∗∗ Exploring Container Security: A Storage Vulnerability Deep Dive ∗∗∗ --------------------------------------------- Recently, the GKE Security team discovered a high severity vulnerability in Kubernetes (CVE-2021-25741) that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community. --------------------------------------------- https://security.googleblog.com/2021/12/exploring-container-security-storag… ∗∗∗ Analysis: AWS SageMaker Jupyter Notebook Instance Takeover ∗∗∗ --------------------------------------------- During our research about security in data science tools we decided to look at Amazon SageMaker which is a fully managed machine learning service in AWS. Here is the long and short of our recent discovery. [...] Using the access token, the attacker can read data from S3 buckets, create VPC endpoints and more actions that are allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy. We reported the vulnerability we discovered to the AWS security team [...] --------------------------------------------- https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability ∗∗∗ Beispiele für Viren-Mails nach Übernahme eines Exchange-Servers ∗∗∗ --------------------------------------------- Und schon sind wir beim dritten Türchen im Security-Adventskalender meines Blogs. Ich hatte ja hier im Blog mehrfach gewarnt, dass ungepatchte Exchange-Server übernommen und zum Spam-Versand missbraucht werden. Ein Blog-Leser hat mir nun eine kurze Info zukommen lassen (danke), weil er einen kompromittierten Exchange-Server gefunden hat, der kompromittiert war und infizierte Spam-Mails verschickte. --------------------------------------------- https://www.borncity.com/blog/2021/12/03/beispiele-fr-viren-mails-nach-bern… ∗∗∗ Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension ∗∗∗ --------------------------------------------- Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. --------------------------------------------- https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertisin… ∗∗∗ Mehrwertdienste versuchen Sie in die Abo-Falle zu locken! ∗∗∗ --------------------------------------------- Einmal die falsche App am Handy installiert, einen falschen Link geöffnet oder auf einen vermeintlich harmlosen Button geklickt: Am Smartphone kann es sehr schnell passieren, dass Sie in einer Abo-Falle landen und Ihre Telefonrechnung plötzlich deutlich höher ausfällt als gewohnt. Doch keine Sorge: Auch wenn bereits Geld abgebucht wurde, können Sie die Rechnung bei Ihrem Mobilfunkanbieter beanstanden. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertdienste-versuchen-sie-in-die… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers discover 14 new data-stealing web browser attacks ∗∗∗ --------------------------------------------- IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of XS-Leak cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-discover-14-new-… ∗∗∗ CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus ∗∗∗ --------------------------------------------- This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-rele… ∗∗∗ IBM Security Bulletins 2021-12-02 ∗∗∗ --------------------------------------------- IBM Integration Bus, Power System, IBM Cloud Pak System, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Cognos Analytics --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050) ∗∗∗ --------------------------------------------- The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. --------------------------------------------- https://research.nccgroup.com/2021/12/02/technical-advisory-authenticated-s… ∗∗∗ Free Micropatches for the "InstallerFileTakeOver" 0day ∗∗∗ --------------------------------------------- Wow, this is the third 0day found by the same researcher we're patching in the last two weeks. Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation [...] --------------------------------------------- https://blog.0patch.com/2021/12/free-micropatches-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14). --------------------------------------------- https://lwn.net/Articles/877582/ ∗∗∗ Schneider Electric SESU ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficient Entropy vulnerability in the Schneider Electric Software Update. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-01 ∗∗∗ Johnson Controls Entrapass ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Johnson Controls Entrapass security management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-02 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass by Primary Weakness, and Unrestricted Upload of File with Dangerous Type vulnerabilities in Distributed Data Systems WebHMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03 ∗∗∗ Hitachi Energy RTU500 series BCI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Hitachi Energy RTU500 series BCI remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-04 ∗∗∗ Hitachi Energy Relion 670/650/SAM600-IO ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insecure Default Initialization of Resource vulnerability in Hitachi Energy Relion 670/650/SAM600-IO Intelligent Electronic Devices (IEDs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-05 ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in Hitachi Energy Transformer Asset Performance Management (APM) Edge software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-06 ∗∗∗ Hitachi Energy PCM600 Update Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Improper Certificate Validation vulnerability in Hitachi Energy PCM600 Update Manager protection and control IED software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-07 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- This advisory contains mitigations for Observable Discrepancy, Buffer Over-read, and Out-of-bounds Read vulnerabilities in Hitachi Energy RTU500 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2021
by Daily end-of-shift report 02 Dec '21

02 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-12-2021 18:00 − Donnerstag 02-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New malware hides as legit nginx process on e-commerce servers ∗∗∗ --------------------------------------------- eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions. [...] Because NginRAT hides as a normal Nginx process and the code exists only in the server’s memory, detecting it may be a challenge. However, the malware is launched using two variables, LD_PRELOAD and LD_L1BRARY_PATH. Administrators can use the latter, which contains the “typo,” to reveal the active malicious processes --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-n… ∗∗∗ Nine WiFi routers used by millions were vulnerable to 226 flaws ∗∗∗ --------------------------------------------- Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-mi… ∗∗∗ WordPress Admin Creator – A Simple, But Effective Attack ∗∗∗ --------------------------------------------- Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Injecting a malicious admin user into a WordPress site can allow attackers easy access back into a victims’ website after it has been cleaned. --------------------------------------------- https://blog.sucuri.net/2021/12/wordpress-admin-creator-a-simple-but-effect… ∗∗∗ pip-audit ∗∗∗ --------------------------------------------- pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports. --------------------------------------------- https://pypi.org/project/pip-audit/ ∗∗∗ Digitale Vignette nur in offiziellen Shops kaufen! ∗∗∗ --------------------------------------------- Bereits ab 1. Dezember ist die Vignette für das Jahr 2022 auf österreichischen Autobahnen gültig. Die digitale Vignette kann dabei nicht nur an verschiedenen offiziellen Verkaufsstellen, sondern auch online gekauft werde. Das machen sich unseriöse AnbieterInnen zu Nutze und bieten die digitale Vignette ungerechtfertigt zu höheren Preisen an. --------------------------------------------- https://www.watchlist-internet.at/news/digitale-vignette-nur-in-offiziellen… ∗∗∗ Azure Privilege Escalation via Azure API Permissions Abuse ∗∗∗ --------------------------------------------- In this post, I will explain how one of those permissions systems can be abused to escalate to Global Admin. I’ll explain how you as an attacker can abuse this system, and I will also explain how you as a defender can find, clean up, and prevent these abusable configurations. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permis… ∗∗∗ Windows 10/11: Falle beim "trusted" Apps-Installer; Emotet nutzt das ∗∗∗ --------------------------------------------- Hoh hoh, Leute, wir können heute das zweite Türchen im Adventskalender öffnen und schauen, was Microsoft so schönes dahinter versteckt hat, um Administratoren zu erschrecken. Heute finden wir den AppX-Installer, der in Windows 10 und Windows 11 zum Installieren von Anwendungen und Apps verwendet wird. Hier ein kleiner Überblick, warum man das Wörtchen Trusted Apps nicht so ganz wörtlich nehmen soll. Denn der zugehörige Installer kann durchaus Malware auf das System spülen (Emotet nutzt das aktuell bei Angriffen), die Apps aber wegen eines gravierenden Design-Fehlers als Trusted ausweisen. --------------------------------------------- https://www.borncity.com/blog/2021/12/02/windows-10-11-falle-beim-trusted-a… ===================== = Vulnerabilities = ===================== ∗∗∗ BigSig-Lücke: Mozilla schließt kritische Schwachstelle in Krypto-Bibliothek NSS ∗∗∗ --------------------------------------------- Setzen Anwendungen zur sicheren Kommunikation Mozillas Network Security Services ein, könnte eine kritische Lücke für Probleme sorgen. [...] Die Programmbibliothek kommt beispielsweise im E-Mail-Client Thunderbird, LibreOffice und verschiedenen PDF-Betrachtern zum Einsatz. Einer Warnmeldung von Mozilla zufolge ist der hauseigene Webbrowser Firefox nicht von der als „kritisch“ eingestuften Sicherheitslücke (CVE-2021-43527) betroffen. --------------------------------------------- https://heise.de/-6281977 ∗∗∗ Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields" ∗∗∗ --------------------------------------------- Users of this product may do the following: - Browse unauthorized data on the database - CVE-2021-20865 - Obtain a list of information that an user do not have the privilege for - CVE-2021-20866 - Move field groups that an user do not have permission to use - CVE-2021-20867 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN09136401/ ∗∗∗ ZDI-21-1373: Jenkins Report Info XML External Entity Processing Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Jenkins Report Info. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1373/ ∗∗∗ Multiple vulnerabilities in OrbiTeam BSCW Server ∗∗∗ --------------------------------------------- The BSCW Server of OrbiTeam Software GmbH & Co. KG is prone to multiple vulnerabilities like reflected and stored XSS, LFI and Open Redirect. It is possible to chain these vulnerabilities and compromise the server even without a valid login. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, openssh, and rpm), Debian (nss), Fedora (seamonkey), Mageia (glibc), openSUSE (go1.16, go1.17, kernel, mariadb, netcdf, openexr, poppler, python-Pygments, python-sqlparse, ruby2.5, speex, and webkit2gtk3), Oracle (nss), Red Hat (nss), SUSE (clamav, glibc, gmp, go1.16, go1.17, kernel, mariadb, netcdf, OpenEXR, openexr, openssh, poppler, python-Pygments, python-sqlparse, ruby2.1, ruby2.5, speex, webkit2gtk3, and xen), and Ubuntu (nss and thunderbird). --------------------------------------------- https://lwn.net/Articles/877410/ ∗∗∗ Delta Electronics CNCSoft - ICS Advisory (ICSA-21-334-03) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-03 ∗∗∗ Security Bulletin: OpenSSH for IBM i is affected by CVE-2021-41617 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssh-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Tivoli Business Service Manager (CVE-2013-0248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-fileupload… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Netty.io ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Wink as used by IBM Disconnected Log Collector is vulnerable to an XML External Entity Error (XXE) (CVE-2010-2245) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-wink-as-used-by-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2021
by Daily end-of-shift report 01 Dec '21

01 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-11-2021 18:00 − Mittwoch 01-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy BlackByte ransomware ∗∗∗ --------------------------------------------- BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st) ∗∗∗ --------------------------------------------- We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. --------------------------------------------- https://isc.sans.edu/diary/rss/28088 ∗∗∗ Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors ∗∗∗ --------------------------------------------- RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel… ∗∗∗ l+f: Emotet-Fehlalarm vom Microsoft Defender ∗∗∗ --------------------------------------------- Microsofts Virenschutz hat Nutzer und Administratoren unnötig aufgeschreckt: Ein fehlerhaftes Erkennungs-Update sah Emotet-Infektionen, wo keine waren. --------------------------------------------- https://heise.de/-6280766 ∗∗∗ Tracking a P2P network related with TA505 ∗∗∗ --------------------------------------------- For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. --------------------------------------------- https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-wit… ∗∗∗ Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-chrome-.html ∗∗∗ E-Mail: „Ihr Paket ist in der Warteschleife“ ist Fake ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor E-Mails mit dem Betreff „Ihr Paket ist in der Warteschleife“ in Acht. Kriminelle geben sich als DHL aus und behaupten, dass Zollgebühren ausständig sind. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ihr-paket-ist-in-der-wartesch… ∗∗∗ Play Your Cards Right: Detecting Wildcard DNS Abuse ∗∗∗ --------------------------------------------- Wildcard DNS records can be used constructively, but their flexibility also provides attackers with a variety of options for executing attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/wildcard-dns-abuse/ ∗∗∗ Shodan Verified Vulns 2021-12-01 ∗∗∗ --------------------------------------------- Insgesamt gibt es kaum Veränderungen zum Vormonat, wobei die Anzahl der verwundbaren Microsoft Exchange Server relativ deutlich zurückging – Props an die Administrator:innen! --------------------------------------------- https://cert.at/de/aktuelles/2021/12/shodan-verified-vulns-2021-12-01 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-kn… ∗∗∗ FBI document shows what data can be obtained from encrypted messaging apps ∗∗∗ --------------------------------------------- A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr. --------------------------------------------- https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-e… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2021-11-30 ∗∗∗ --------------------------------------------- IBM QRadar SIEM, IBM Integration Bus, IBM App Connect Enterprise, IBM HTTP Server, IBM Cloud Pak for Data, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Match 360, IBM SDK (Java™ Technology Edition), IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, [...]) --------------------------------------------- https://lwn.net/Articles/877284/ ∗∗∗ Verwaltungssoftware Jamf Pro für Apple-Geräte könnte Zugangsdaten leaken ∗∗∗ --------------------------------------------- https://heise.de/-6281352 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211201-… ∗∗∗ XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/12/xss-vulnerability-patched-in-plugin-… ∗∗∗ Mozilla Foundation Security Advisory 2021-51: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ Johnson Controls CEM Systems AC2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-04 ∗∗∗ Hitachi Energy Retail Operations and CSB Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2021
by Daily end-of-shift report 30 Nov '21

30 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 29-11-2021 18:00 − Dienstag 30-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Printing Shellz: Sicherheitslücken in HP-Druckern/-Multifunktionsgeräten ∗∗∗ --------------------------------------------- Passend zum 30. November, dem Computer Security Day habe ich noch was. Es gibt eine Sicherheitslücke in der Firmware bestimmter HP LaserJet, HP LaserJet Managed, HP PageWide und HP PageWide Managed Produkte. Diese sind möglicherweise für einen Pufferüberlauf anfällig. Das bedeutet, Angreifer könnten Druckaufträge oder Scans abfangen und ggf. die Firmennetzwerke lahmlegen. --------------------------------------------- https://www.borncity.com/blog/2021/11/30/printing-shellz-sicherheitslcken-i… ∗∗∗ Gefälschtes BAWAG SMS im Umlauf ∗∗∗ --------------------------------------------- Momentan kursieren gefälschte SMS-Nachrichten im Namen der BAWAG. Im SMS mit „BawagPSK“ als Absender werden EmpfängerInnen darüber informiert, dass ihr Konto angeblich gesperrt wurde und eine Sicherheitsapp installiert werden muss. Klicken Sie keinesfalls auf den Link. Dieser führt auf eine gefälschte BAWAG-Website! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-bawag-sms-im-umlauf/ ∗∗∗ Malicious USB drives: Still a security problem ∗∗∗ --------------------------------------------- A malicious USB drive dropped in a parking lot - this image has become a bit of a trope in IT security circles. Still, the threat is very real and more relevant than ever. --------------------------------------------- https://www.gdatasoftware.com/blog/2021/11/usb-drives-still-a-danger ∗∗∗ What We’ve Learned About SSH Brute Force Attacks ∗∗∗ --------------------------------------------- The first time I encountered brute force attacks I was a hosting specialist who received calls from frustrated site owners that wanted to know who’d gained access to their server. Many of them didn’t understand the importance of a password’s character strength, or how frequent attacks on “root” are as a username, including myself at one point in time. I’ve learned more about SSH Brute Force attacks throughout my years at Sucuri. --------------------------------------------- https://blog.sucuri.net/2021/11/what-weve-learned-about-ssh-brute-force-att… ∗∗∗ 300.000+ infections via Droppers on Google Play Store ∗∗∗ --------------------------------------------- In this blog we will discuss the recent techniques used to spread Android banking trojans via Google Play (MITRE T1475) resulting in significant financial loss for targeted banks. We will also discuss the, sometimes forgotten, by-product of collecting contacts and keystrokes by Banking trojans, resulting in severe data leakage. --------------------------------------------- https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html ∗∗∗ Sabbath Ransomware Operators Target Critical Infrastructure ∗∗∗ --------------------------------------------- Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources. --------------------------------------------- https://www.securityweek.com/sabbath-ransomware-operators-target-critical-i… ∗∗∗ Yanluowang: Further Insights on New Ransomware Threat ∗∗∗ --------------------------------------------- At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ya… ∗∗∗ Kernel Karnage – Part 5 (I/O & Callbacks) ∗∗∗ --------------------------------------------- After showing interceptor’s options, it’s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. --------------------------------------------- https://blog.nviso.eu/2021/11/30/kernel-karnage-part-5-i-o-callbacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Fedora (kernel), openSUSE (netcdf and tor), SUSE (netcdf and python-Pygments), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/877186/ ∗∗∗ ZDI-21-1371: (0Day) Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1371/ ∗∗∗ ZDI-21-1370: (0Day) Esri ArcReader PMF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1370/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1244 ∗∗∗ Cross-Site Request Forgery im Team Password Manager (SYSS-2021-059) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-request-forgery-im-team-passwor… ∗∗∗ Host Header Poisoning im Team Password Manager (SYSS-2021-060) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/host-header-poisoning-im-team-password-man… ∗∗∗ Advisory: Vulnerabilities in B&R Automation Studio and PVI Windows Services ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16367454… ∗∗∗ Advisory: Number:Jack in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16367454… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2021-38999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Operations Analytics – Log Analysis (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU Binutils affects IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a code injection vulnerability (CVE-2021-38967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affects IBM License Key Server Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a disclosure of sensitive information vulnerability (CVE-2021-39000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2021
by Daily end-of-shift report 29 Nov '21

29 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-11-2021 18:00 − Montag 29-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ TrickBot phishing checks screen resolution to evade researchers ∗∗∗ --------------------------------------------- The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-scr… ∗∗∗ IT-Security: ETSI veröffentlicht erste Norm für sichere Smartphones ∗∗∗ --------------------------------------------- Ein neuer Standard des europäischen Normungsinstituts ETSI soll Herstellern weltweit helfen, die IT-Sicherheit bei Mobiltelefonen für Verbraucher zu erhöhen. --------------------------------------------- https://heise.de/-6278376 ∗∗∗ Google-Analyse: Cloud-Dienste durch schwache Passwörter angreifbar ∗∗∗ --------------------------------------------- Das Unternehmen hat Einbrüche in Cloud-Instanzen untersucht, nennt Ursachen und liefert daraus resultierende Handlungsempfehlungen. --------------------------------------------- https://heise.de/-6277514 ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- In June 2021, security researcher Abdelhamid Naceri published a blog post about an "unpatched information disclosure" vulnerability in Windows. The post details the mechanics of the issue and its exploitation, allowing a non-admin Windows user to read arbitrary files even if they do not have permissions to do so. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Ghidra 101: Binary Patching ∗∗∗ --------------------------------------------- There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/ghidra-… ∗∗∗ AVM warnt vor Phishing-Mails mit FRITZ!Box-Anrufbeantworternachricht ∗∗∗ --------------------------------------------- Der Hersteller der FRITZ!Boxen, die Berliner-Firma AVM warnt aktuell von einer Welle von Phishing-Mails, die im Anhang angeblich eine Sprachnachricht des FRITZ!Box-Anrufbeantworters enthalten. Wer diesen Anhang per Doppelklick unter Windows abhören möchte, installiert sich Schadsoftware. --------------------------------------------- https://www.borncity.com/blog/2021/11/28/avm-warnt-vor-phishing-mails-mit-f… ∗∗∗ Cobalt Strike: Decrypting DNS Traffic – Part 5 ∗∗∗ --------------------------------------------- Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. --------------------------------------------- https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-… ===================== = Vulnerabilities = ===================== ∗∗∗ Backdoor.Win32.Coredoor.10.a / Authentication Bypass RCE ∗∗∗ --------------------------------------------- Description: The malware listens on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution. --------------------------------------------- https://cxsecurity.com/issue/WLB-2021110120 ∗∗∗ FortiClientWindows & FortiClient EMS - Privilege escalation via DLL Hijacking ∗∗∗ --------------------------------------------- An unsafe search path vulnerability in FortiClient and FortiClient EMS may allow an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path. --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-088 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/877105/ ∗∗∗ Insulet OmniPod Insulin Management System vulnerability ∗∗∗ --------------------------------------------- https://omnipod.lyrebirds.dk/ ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2021
by Daily end-of-shift report 26 Nov '21

26 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-11-2021 18:00 − Freitag 26-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2021 ∗∗∗ --------------------------------------------- WildPressure and LuminousMoth threat actors, FinSpy implants, zero-day vulnerabilities and PrintNightmare, threats for Linux and macOS in our review of Q3 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2021/104876/ ∗∗∗ YARAs Private Strings, (Thu, Nov 25th) ∗∗∗ --------------------------------------------- YARA supports private strings. A string can be marked as private by including string modifier "private". Here is a use case. [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28010 ∗∗∗ Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090, (Fri, Nov 26th) ∗∗∗ --------------------------------------------- Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet. --------------------------------------------- https://isc.sans.edu/diary/rss/28072 ∗∗∗ EU needs more cybersecurity graduates, says ENISA infosec agency – pointing at growing list of masters degree courses ∗∗∗ --------------------------------------------- The EU needs more cybersecurity graduates to plug the political blocs shortage of skilled infosec bods, according to a report from the ENISA online security agency. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/11/26/enisa_cybers… ∗∗∗ RATDispenser: JavaScript-Loader installiert Remote Access Trojaners (RAT) in Windows ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag in Punkto Sicherheit, welcher mir die Tage unter die Augen gekommen ist. Die Sicherheitsforscher von HP Thread-Research sind auf einen in JavaScript geschriebenen Loader gestoßen, der auf Windows-Systemen Remote Access Trojaner (RAT) installiert. Der Entwickler scheint [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/26/ratdispenser-javascript-loader-ins… ===================== = Vulnerabilities = ===================== ∗∗∗ Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices ∗∗∗ --------------------------------------------- Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L. Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises. --------------------------------------------- https://securityaffairs.co/wordpress/125016/hacking/0-day-tp-link-wi-fi-6.h… ∗∗∗ Angreifer könnten die Kontrolle über Videoüberwachungssysteme von Qnap erlangen ∗∗∗ --------------------------------------------- Ein wichtiges Update schließt unter anderem eine kritische Lücke in einigen Netzwerk-Videorekordern von Qnap. --------------------------------------------- https://heise.de/-6277445 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (freerdp, gnome-boxes, gnome-connections, gnome-remote-desktop, guacamole-server, hydra, java-1.8.0-openjdk-aarch32, medusa, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, php, pidgin-sipe, remmina, vinagre, and weston), openSUSE (kernel and netcdf), and SUSE (kernel and netcdf). --------------------------------------------- https://lwn.net/Articles/876922/ ∗∗∗ Zoom Video Communications Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1235 ∗∗∗ Security Bulletin: Vulnerability in jsoup may affect Cúram Social Program Management (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jsoup-ma… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Dojo may affect IBM Cúram Social Program Management (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may… ∗∗∗ Security Bulletin: Vulnerability in Apache Santuario XML Security for Java may affect Cúram Social Program Management (CVE-2021-40690) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2021
by Daily end-of-shift report 25 Nov '21

25 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-11-2021 18:00 − Donnerstag 25-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CronRAT malware infects Linux systems using odd day cron jobs ∗∗∗ --------------------------------------------- Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cronrat-malware-infects-… ∗∗∗ Discord malware campaign targets crypto and NFT communities ∗∗∗ --------------------------------------------- A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-malware-campaign-tar… ∗∗∗ Improving security for mobile devices: CISA issues guides ∗∗∗ --------------------------------------------- CISA has released actionable guides with advice on how to improve security for mobile devices, both for consumers and organizations. --------------------------------------------- https://blog.malwarebytes.com/android/2021/11/improving-security-for-mobile… ∗∗∗ Bitcoin-Erpressung mit Masturbationsaufnahmen ∗∗∗ --------------------------------------------- Alle Jahre wieder versuchen Kriminelle durch erfundene Behauptungen, Geld zu erpressen. Angeblich wurden Ihre Systeme gehackt und Sie dadurch während dem Aufruf pornografischer Inhalte gefilmt. Die Nachricht ist frei erfunden und wird massenhaft ausgesendet. --------------------------------------------- https://www.watchlist-internet.at/news/bitcoin-erpressung-mit-masturbations… ∗∗∗ Sophisticated Tardigrade malware launches attacks on vaccine manufacturing infrastructure ∗∗∗ --------------------------------------------- Security researchers are warning biomanufacturing facilities around the world that they are being targeted by a sophisticated new strain of malware, known as Tardigrade. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/sophist… ∗∗∗ Black-Friday-Spam-Kampagnen in den Startlöchern ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday – da gibt es fast alles umsonst. Das ruft auch Cyber-Kriminelle auf den Plan und diese greifen Verbraucher verstärkt mit Online-Shopping-Betrugsversuchen an. --------------------------------------------- https://www.borncity.com/blog/2021/11/25/black-friday-spam-kampagnen-in-den… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware dichtet Schwachstellen in vSphere Web Client ab - zum Teil ∗∗∗ --------------------------------------------- Der Hersteller meldet Sicherheitslücken, teils mit hohem Risiko. Es gibt jedoch noch nicht für alle betroffenen Produkte Updates. --------------------------------------------- https://heise.de/-6276216 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (busybox, getdata, and php), Mageia (couchdb, freerdp, openexr, postgresql, python-reportlab, and rsh), openSUSE (bind, java-1_8_0-openjdk, and kernel), SUSE (java-1_7_0-openjdk), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/876852/ ∗∗∗ ModSecurity DoS Vulnerability in JSON Parsing (CVE-2021-42717) ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Ant affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily