=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-11-2021 18:00 − Freitag 05-11-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Phishing emails deliver spooky zombie-themed MirCop ransomware ∗∗∗
---------------------------------------------
A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-emails-deliver-spoo…
∗∗∗ Bluetooth-Lücken Braktooth: Das Patchen geht nur schleppend voran ∗∗∗
---------------------------------------------
Für Braktooth-Attacken anfällige Bluetooth-Geräte könnten zeitnah in den Fokus von Angreifern rücken. Patches sind noch längst nicht flächendeckend verfügbar.
---------------------------------------------
https://heise.de/-6254474
∗∗∗ SSL certificate research highlights pitfalls for company data, competition ∗∗∗
---------------------------------------------
Analysis reveals hidden risks for organizations that do not monitor their certificate usage.
---------------------------------------------
https://www.zdnet.com/article/ssl-certificate-research-highlights-pitfalls-…
∗∗∗ The IoT is getting a lot bigger, but security is still getting left behind ∗∗∗
---------------------------------------------
Four in five Internet of Things device vendors dont provide any information on how to disclose security vulnerabilities. That means problems just dont get fixed.
---------------------------------------------
https://www.zdnet.com/article/the-iot-is-getting-a-lot-bigger-but-security-…
∗∗∗ Malware found in coa and rc, two npm packages with 23M weekly downloads ∗∗∗
---------------------------------------------
The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.
---------------------------------------------
https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-2…
∗∗∗ Datenbank mit Millionen Daten von VPN-Nutzern ungeschützt im Internet (Okt. 2021) ∗∗∗
---------------------------------------------
Wer VPN-Anbieter nutzt, muss sich auf deren Sicherheit und Integrität verlassen können. Sicherheitsforscher Bob Diachenko von comparitech ist kürzlich im Internet auf eine ungeschützte Datenbank (kein Passwort) gestoßen, die mehr als 300 Millionen Datensätze mit den persönlichen Daten [...]
---------------------------------------------
https://www.borncity.com/blog/2021/11/05/datenbank-mit-millionen-daten-von-…
∗∗∗ Phishing PDF Files with CAPTCHA Screen Being Mass-distributed ∗∗∗
---------------------------------------------
Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000.
---------------------------------------------
https://asec.ahnlab.com/en/28431/
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-21-1278: Hewlett Packard Enterprise iLO Amplifier Pack backup Directory Traversal Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise iLO Amplifier Pack. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1278/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd).
---------------------------------------------
https://lwn.net/Articles/875212/
∗∗∗ SYSS-2021-048/SYSS-2021-049: PHP Event Calendar – SQL Injection und Persistent Cross-Site Scripting ∗∗∗
---------------------------------------------
Im "PHP Event Calendar" wurden zwei Sicherheitslücken gefunden. So kann die Datenbank ausgelesen oder die Sitzung anderer Nutzer kompromittiert werden.
---------------------------------------------
https://www.syss.de/pentest-blog/syss-2021-048/syss-2021-049-php-event-cale…
∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1157
∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29753 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilites ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-11-2021 18:00 − Donnerstag 04-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
=====================
= News =
=====================
∗∗∗ Wichtige Cisco-Updates: Recycelte SSH-Keys vereinfachten unbefugte Root-Zugriffe ∗∗∗
---------------------------------------------
Neue Versionen schließen eine kritische Lücke in Ciscos Policy Suite. Auch Catalyst PON Switches & weitere Produkte wurden gegen Angriffe abgesichert.
---------------------------------------------
https://heise.de/-6251668
∗∗∗ BSI-Paper: Technische Grundlagen sicherer Messenger-Dienste ∗∗∗
---------------------------------------------
Milliardenfach kommt weltweit ein Kommunikationsmittel zum Zuge: Messenger-Dienste. Die kurze geschriebene oder gesprochene Nachricht überrundet schon lange die SMS. Doch wie funktionieren Messenger? Was macht sie sicher und was eher nicht? Auf diese und weitere Fragen gibt das BSI-Paper „Moderne Messenger – heute verschlüsselt, morgen interoperabel?“ Antwort.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202…
∗∗∗ Cyberkriminelle verkaufen Zugänge zu internationalen Logistikfirmen ∗∗∗
---------------------------------------------
Es handelt sich oft um Schwachstellen in RDP und VPN. Angeboten werden aber auch gestohlene Zugangsdaten. Sicherheitsforscher warnen vor weiteren negativen Folgen für die Lieferkette.
---------------------------------------------
https://www.zdnet.de/88397581/cyberkriminelle-verkaufen-zugaenge-zu-interna…
∗∗∗ Betrug mit Verdopplung Ihrer Bitcoins und Kryptowährungen! ∗∗∗
---------------------------------------------
Kriminelle machen ein attraktives Angebot: Sie versprechen eine Verdopplung eingezahlter Kryptowährungen durch einfaches Übetragen auf eine Wallet. Der Haken an der Sache: Übertragene Währungen sind verloren, denn sie landen direkt auf den Wallets der Kriminellen. Genau das passiert auch auf spacegetbonus.com mit Bitcoin, Ethereum und Dogecoin!
---------------------------------------------
https://www.watchlist-internet.at/news/betrug-mit-verdopplung-ihrer-bitcoin…
∗∗∗ Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware ∗∗∗
---------------------------------------------
A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshel…
∗∗∗ Samsung Galaxy S21 hacked on second day of Pwn2Own Austin ∗∗∗
---------------------------------------------
Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/samsung-galaxy-s21-hacked-on…
∗∗∗ 5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls ∗∗∗
---------------------------------------------
Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques.
---------------------------------------------
https://www.darkreading.com/edge-threat-monitor/5-mitre-attck-tactics-most-…
∗∗∗ Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns ∗∗∗
---------------------------------------------
Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands.
---------------------------------------------
https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-van…
∗∗∗ Credit card skimmer evades Virtual Machines ∗∗∗
---------------------------------------------
After code obfuscation, anti-debugger tricks we now see virtual machine detection used by credit card skimmers.
---------------------------------------------
https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimm…
∗∗∗ The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing ∗∗∗
---------------------------------------------
In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. The kit doesnt display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services.
---------------------------------------------
https://www.riskiq.com/blog/external-threat-management/vagabon-kit-frankens…
∗∗∗ Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server ∗∗∗
---------------------------------------------
GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a new Intezer Protect user’s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit [...]
---------------------------------------------
https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/
∗∗∗ Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 ∗∗∗
---------------------------------------------
We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic.
---------------------------------------------
https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decr…
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical RCE Vulnerability Reported in Linux Kernels TIPC Module ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a security flaw in the Linux Kernels Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "can be exploited locally or remotely within a network to gain kernel [...]
---------------------------------------------
https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.ht…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
---------------------------------------------
https://lwn.net/Articles/875106/
∗∗∗ Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server ∗∗∗
---------------------------------------------
[...] Summary: Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-051/
∗∗∗ VISAM VBASE Editor ∗∗∗
---------------------------------------------
This advisory contains mitigations for Improper Access Control, Cross-site Scripting, Using Components with Known Vulnerabilities, and Improper Restriction of XML External Entity Reference vulnerabilities in the VISAM VBASE Editor automation platform.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-308-01
∗∗∗ AzeoTech DAQFactory ∗∗∗
---------------------------------------------
This advisory contains mitigations for Use of Inherently Dangerous Function, Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information, and Modification of Assumed-Immutable Data (MAID) vulnerabilities in the AzeoTech DAQFactory software and application development platform.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02
∗∗∗ BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities ∗∗∗
---------------------------------------------
On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-c…
∗∗∗ Security Bulletin: Vulnerability in Oracle, Java SE Affecting Watson Speech Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-oracle-j…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability (CVE-2020-26939) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Reflected cross-site scripting vulnerability in IBM Sterling B2B Integrator ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr…
∗∗∗ Grafana: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1154
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-11-2021 18:00 − Mittwoch 03-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
=====================
= News =
=====================
∗∗∗ A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions ∗∗∗
---------------------------------------------
This article provides an overview of what the App Sandbox is and the vulnerability details as disclosed to Apple.
---------------------------------------------
https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassin…
∗∗∗ Ransomware: "BlackMatter"-Gang will aufhören – mal wieder ∗∗∗
---------------------------------------------
Druck von Ermittlern veranlasst BlackMatter zum Aufhören. Ein endgültiger Abschied der alten Hasen aus dem Erpresser-Business scheint aber eher fraglich.
---------------------------------------------
https://heise.de/-6247924
∗∗∗ Sicherheitsforscher warnen vor zehntausenden verwundbaren GitLab-Servern ∗∗∗
---------------------------------------------
Obwohl es bereits mehrere Monate Sicherheitspatches für eine kritische Lücke gibt, sind einem Bericht zufolge immer noch viele GitLab-Server angreifbar.
---------------------------------------------
https://heise.de/-6249588
∗∗∗ This Steam phish baits you with free Discord Nitro ∗∗∗
---------------------------------------------
Theres another scam making rounds on Discord. And its cleverly phishing for Steam credentials.
---------------------------------------------
https://blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-ba…
∗∗∗ Kleinanzeigenbetrug mit angeblichem Post-Kurier boomt! ∗∗∗
---------------------------------------------
Zahlreiche LeserInnen wenden sich derzeit an uns, da Kriminelle eine gefälschte Webseite der Post für Kleinanzeigenbetrug verwenden. Dabei suchen die BetrügerInnen auf Willhaben, Ebay, Shpock und Co. nach teuren Angeboten und erklären den VerkäuferInnen, dass der Kauf über einen Kurierdienst der Post abgewickelt werden soll.
---------------------------------------------
https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-angeblichem-…
∗∗∗ Almost half of rootkits are used for cyberattacks against government organizations ∗∗∗
---------------------------------------------
On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage.
---------------------------------------------
https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-go…
∗∗∗ "Trojan Source": Was ist da dran? ∗∗∗
---------------------------------------------
An sich schätze ich Brian Krebs, er schreibt wirklich gute Artikel, aber bei ‘Trojan Source’ Bug Threatens the Security of All Code hat er etwas übertrieben.
---------------------------------------------
https://cert.at/de/aktuelles/2021/11/trojan-source-was-ist-da-dran
∗∗∗ CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities ∗∗∗
---------------------------------------------
CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-2…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco hat 16 Security Advisories veröffentlicht. Zwei davon werden als "Critical" eingestuft, zwei als "High", und zwölf als "Medium".
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur…
∗∗∗ Patchday: Angreifer attackieren gezielt Android-Geräte ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Eine Lücke im Kernel nutzen Angreifer derzeit aus.
---------------------------------------------
https://heise.de/-6247997
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).
---------------------------------------------
https://lwn.net/Articles/874980/
∗∗∗ ZDI-21-1277: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1277/
∗∗∗ ZDI-21-1276: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1276/
∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211103-…
∗∗∗ Security Bulletin: Vulnerabilities in HAProxy Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-haprox…
∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.3 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/
∗∗∗ Red Hat Integration - Service Registry: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1143
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-10-2021 18:00 − Dienstag 02-11-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Trojan Source: Programmiersprachen lassen sich per Unicode trojanisieren ∗∗∗
---------------------------------------------
Ein Forschungsteam zeigt systematisch, wie sich mit Unicode-Tricks Code manipulieren lässt. Open-Source-Communitys und die IT-Industrie reagieren.
---------------------------------------------
https://www.golem.de/news/trojan-source-programmiersprachen-lassen-sich-per…
∗∗∗ BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool ∗∗∗
---------------------------------------------
The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.
---------------------------------------------
https://www.securityweek.com/blackmatter-ransomware-operators-develop-custo…
∗∗∗ FBI Publishes IOCs for Hello Kitty Ransomware ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) has published a flash alert to share details on the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the Hello Kitty ransomware, which is also known as FiveHands.
---------------------------------------------
https://www.securityweek.com/fbi-publishes-iocs-hello-kitty-ransomware
∗∗∗ Webseiten-BetreiberInnen aufgepasst: Gefälschte E-Mails von WORLD4YOU im Umlauf ∗∗∗
---------------------------------------------
Zahlreiche Webseiten-BetreiberInnen erhalten momentan betrügerische E-Mails im Namen von Wordl4You. In den betrügerischen E-Mails wird behauptet, dass die Domain gesperrt wurde, abgelaufen ist oder verlängert werden muss.
---------------------------------------------
https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-…
∗∗∗ EU Digital Green Certificate: Was gilt eigentlich bei uns? ∗∗∗
---------------------------------------------
Nachdem der digitale grüne Pass gerade in den Medien ist, und ich für den Standard den Erklärbären mache, will ich hier ein paar technische Informationen dokumentieren, die für einen Zeitungsartikel dann doch zu technisch sind.
---------------------------------------------
https://cert.at/de/blog/2021/10/eu-digital-green-certificate-was-gilt-eigen…
∗∗∗ Shodan Verified Vulns 2021-11-01 ∗∗∗
---------------------------------------------
Das "Cyber-Security-Month" Oktober ist vorbei, aber, wie ein Blick in unsere Shodan-Daten vom 2021-11-01 verrät, hatte es keinen direkt sichtbaren Effekt: Die Veränderungen zu Anfang Oktober sind überschaubar.
---------------------------------------------
https://cert.at/de/aktuelles/2021/11/shodan-verified-vulns-2021-11-01
∗∗∗ From Zero to Domain Admin ∗∗∗
---------------------------------------------
This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document.
---------------------------------------------
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
=====================
= Vulnerabilities =
=====================
∗∗∗ Android November patch fixes actively exploited kernel bug ∗∗∗
---------------------------------------------
Google has released the Android November 2021 security updates, which address 18 vulnerabilities in the framework and system components, and 18 more flaws in the kernel and vendor components.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-november-patch-fixes…
∗∗∗ Alert! Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild ∗∗∗
---------------------------------------------
A now-patched critical remote code execution (RCE) vulnerability in GitLabs web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks.
---------------------------------------------
https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
Tivoli Composite Application Manager for Transactions, InfoSphere Information Server, InfoSphere DataStage Flow Designer, API Connect, Application Discovery and Delivery Intelligence, MessageGateway, PowerSC.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Firefox-Updates schließen zahlreiche Sicherheitslücken ∗∗∗
---------------------------------------------
Die Entwickler der Mozilla Foundation haben im Webbrowser Firefox mehr als ein Dutzend Sicherheitslücken gestopft.
---------------------------------------------
https://heise.de/-6245344
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/874623/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).
---------------------------------------------
https://lwn.net/Articles/874818/
∗∗∗ Kaspersky Patches Vulnerability That Can Lead to Unbootable System ∗∗∗
---------------------------------------------
Kaspersky published two advisories on Monday to warn customers about a vulnerability that can lead to unbootable systems and a phishing campaign involving messages sent from a Kaspersky email address.
---------------------------------------------
https://www.securityweek.com/kaspersky-patches-vulnerability-can-lead-unboo…
∗∗∗ November 1, 2021 TNS-2021-18 [R1] Nessus 10.0.0 Fixes One Vulnerability ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2021-18
∗∗∗ Synology-SA-21:27 ISC BIND ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_27
∗∗∗ Sensormatic Electronics VideoEdge ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-306-01
∗∗∗ WECON PI Studio (Update A) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-10-2021 18:00 − Freitag 29-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte ∗∗∗
---------------------------------------------
Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten.
---------------------------------------------
https://heise.de/-6236592
∗∗∗ Betrügerische Mails und SMS im Namen der Volksbank im Umlauf! ∗∗∗
---------------------------------------------
Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-name…
∗∗∗ SEO Poisoning Used to Distribute Ransomware ∗∗∗
---------------------------------------------
This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribu…
∗∗∗ Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App ∗∗∗
---------------------------------------------
Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.
---------------------------------------------
https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/
∗∗∗ Pink, a botnet that competed with the vendor to control the massive infected devices ∗∗∗
---------------------------------------------
Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...]
---------------------------------------------
https://blog.netlab.360.com/pink-en/
∗∗∗ This New Android Malware Can Gain Root Access to Your Smartphones ∗∗∗
---------------------------------------------
An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis.
---------------------------------------------
https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.ht…
∗∗∗ Update your OptinMonster WordPress plugin immediately ∗∗∗
---------------------------------------------
We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-y…
∗∗∗ Network Scanning Traffic Observed in Public Clouds ∗∗∗
---------------------------------------------
Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds.
---------------------------------------------
https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/
∗∗∗ NSA-CISA Series on Securing 5G Cloud Infrastructures ∗∗∗
---------------------------------------------
The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ All Windows versions impacted by new LPE zero-day vulnerability ∗∗∗
---------------------------------------------
A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/all-windows-versions-impacte…
∗∗∗ Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X ∗∗∗
---------------------------------------------
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities.
---------------------------------------------
https://jvn.jp/en/jp/JVN69304877/
∗∗∗ Shrootless: Microsoft finds Apple macOS vulnerability ∗∗∗
---------------------------------------------
Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootle…
∗∗∗ XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites ∗∗∗
---------------------------------------------
On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations.
---------------------------------------------
https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-soc…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).
---------------------------------------------
https://lwn.net/Articles/874354/
∗∗∗ Sensormatic Electronics victor ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01
∗∗∗ Delta Electronics DOPSoft (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04
∗∗∗ GoCD Authentication Vulnerability ∗∗∗
---------------------------------------------
GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authenticati…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Advisory: RCE Vulnerability in Automation Studio ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384…
∗∗∗ Advisory: ZipSlip Vulnerability in Automation Studio Project Import ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384…
∗∗∗ Advisory: DLL Hijacking Vulnerability in Automation Studio ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384…
∗∗∗ ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS) ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN60553023/
∗∗∗ ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1273/
∗∗∗ ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1272/
∗∗∗ ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1271/
∗∗∗ ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1270/
∗∗∗ ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1275/
∗∗∗ ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1274/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-10-2021 18:00 − Donnerstag 28-10-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Dimitri Robl
=====================
= News =
=====================
∗∗∗ QR Codes Help Attackers Sneak Emails Past Security Controls ∗∗∗
---------------------------------------------
A recently discovered campaign shows how attackers are constantly developing new techniques to deceive phishing victims.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/qr-codes-help-attackers-sneak-…
∗∗∗ How we took part in MLSEC and (almost) won ∗∗∗
---------------------------------------------
How we took part in the Machine Learning Security Evasion Competition (MLSEC) — a series of trials testing contestants’ ability to create and attack machine learning models.
---------------------------------------------
https://securelist.com/how-we-took-part-in-mlsec-and-almost-won/104699/
∗∗∗ EU’s Green Pass Vaccination ID Private Key Leaked ∗∗∗
---------------------------------------------
The private key used to sign the vaccine passports was leaked and is being passed around to create fake passes for the likes of Mickey Mouse and Adolf Hitler.
---------------------------------------------
https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175…
∗∗∗ New Wslink Malware Loader Runs as a Server and Executes Modules in Memory ∗∗∗
---------------------------------------------
Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed "Wslink" by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory.
---------------------------------------------
https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html
∗∗∗ Threat profile: Ranzy Locker ransomware ∗∗∗
---------------------------------------------
What you need to know about Ranzy Locker ransomware.
---------------------------------------------
https://blog.malwarebytes.com/ransomware/2021/10/threat-profile-ranzy-locke…
∗∗∗ PSA: Widespread Remote Working Scam Underway ∗∗∗
---------------------------------------------
Attackers are posting jobs pretending to be from existing companies and steal money and/or personal information from jobseekers.
---------------------------------------------
https://www.wordfence.com/blog/2021/10/psa-widespread-remote-working-scam-u…
∗∗∗ Trends und Entwicklungen bei Fake-Shops ∗∗∗
---------------------------------------------
Fake-Shops gibt es wie Sand am Meer - und auch sie entwickeln sich nach Trends: Von E-Bikes bis zur Playstation5. Diese Trends sind von der Saison, aber auch von Angebot und Nachfrage abhängig. Was die Watchlist Internet im letzten Jahr über Fake-Shop-Trends erfahren hat, lesen Sie hier.
---------------------------------------------
https://www.watchlist-internet.at/news/trends-und-entwicklungen-bei-fake-sh…
∗∗∗ Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains ∗∗∗
---------------------------------------------
Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile.
---------------------------------------------
https://therecord.media/free-decrypters-released-for-atomsilo-babuk-and-loc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco hat 19 Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, neun als "High".
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0).
---------------------------------------------
https://lwn.net/Articles/874210/
∗∗∗ 2021 CWE Most Important Hardware Weaknesses ∗∗∗
---------------------------------------------
The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List. The 2021 Hardware List is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in hardware.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/2021-cwe-most-imp…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 25-10-2021 18:00 − Mittwoch 27-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
=====================
= News =
=====================
∗∗∗ Babuk ransomware decryptor released to recover files for free ∗∗∗
---------------------------------------------
Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-r…
∗∗∗ Vorsicht: Neue Betrugswelle mit vermeintlichen DHL-SMS ∗∗∗
---------------------------------------------
Wieder sind betrügerische SMS zu Paketlieferungen im Umlauf. Ziel ist es, eine Schadsoftware aufs Handy zu bringen.
---------------------------------------------
https://futurezone.at/digital-life/betrug-dhl-sms-phishing-ausstehendes-pak…
∗∗∗ Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads ∗∗∗
---------------------------------------------
UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service.
---------------------------------------------
https://threatpost.com/android-scammed-sms-fraud-tik-tok/175739/
∗∗∗ Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users ∗∗∗
---------------------------------------------
The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet.
---------------------------------------------
https://threatpost.com/mozilla-firefox-blocks-malicious-add-ons-installed-b…
∗∗∗ Conti Ransom Gang Starts Selling Access to Victims ∗∗∗
---------------------------------------------
The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Contis malware who refuse to negotiate a ransom payment are added to Contis victim shaming blog, where confidential files stolen from victims may be published or sold.
---------------------------------------------
https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access…
∗∗∗ „Hallo Mama“ - Vorsicht vor Betrug über WhatsApp! ∗∗∗
---------------------------------------------
Aktuell versuchen BetrügerInnen über WhatsApp an das Geld von potentiellen Opfern zu kommen. Dafür geben Sie sich in einer Nachricht als Tochter oder Sohn der EmpfängerInnen aus und fordern die Überweisung von mehreren tausend Euro.
---------------------------------------------
https://www.watchlist-internet.at/news/hallo-mama-vorsicht-vor-betrug-ueber…
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress: Erneute Sicherheitslücke im Plugin Ninja Forms ∗∗∗
---------------------------------------------
Das beliebte Formular-Framework ist erneut von einer Sicherheitslücke betroffen. Das WordPress-Plugin ist auf mehr als einer Million Webseiten aktiv.
---------------------------------------------
https://heise.de/-6229249
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7).
---------------------------------------------
https://lwn.net/Articles/874045/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp).
---------------------------------------------
https://lwn.net/Articles/874143/
∗∗∗ Belden Security Bulletin – BSECV-2020-03: Potential denial of service vulnerability in PROFINET Devices via DCE-RPC Packets ∗∗∗
---------------------------------------------
A vulnerability in the PROFINET stack implementation in Classic Firmware, HiOS, and HiLCOS could lead to a denial of service via an out of memory condition.
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=13688&mediaformat…
∗∗∗ Security Bulletin: A vulnerability exists in the restricted shell of the IBM FlashSystem 900 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in…
∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln…
∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo…
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software – September 2021 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a…
∗∗∗ Security Bulletin: Openstack Compute (Nova) noVNC proxy ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-openstack-compute-nova-no…
∗∗∗ Security Bulletin: Insufficient session expiration in IBM i2 iBase ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-session-expi…
∗∗∗ Grafana vulnerability CVE-2021-39226 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K22322802
∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1114
∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1121
∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-299-01
∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/adobe-releases-se…
∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/apple-releases-se…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 22-10-2021 18:00 − Montag 25-10-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ CISA Urges Sites to Patch Critical RCE in Discourse ∗∗∗
---------------------------------------------
The patch, urgently rushed out on Friday, is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central.
---------------------------------------------
https://threatpost.com/cisa-critical-rce-discourse/175705/
∗∗∗ Schadcode in weit verbreiteter JavaScript-Bibliothek UAParser.js entdeckt ∗∗∗
---------------------------------------------
Angreifer haben die JavaScript-Bibliothek UAParser.js mit Schadcode versehen, der auf betroffenen Rechnern Kryptogeld-Miner installiert.
---------------------------------------------
https://heise.de/-6226975
∗∗∗ Ransomware BlackMatter: Forscher bieten Gratis-Decryption für einige Varianten ∗∗∗
---------------------------------------------
Wer in den letzten Monaten eine Erpresserbotschaft der "BlackMatter"-Gang auf seinen Systemen entdeckt hat, kann jetzt auf Hilfe hoffen.
---------------------------------------------
https://heise.de/-6227925
∗∗∗ Betrügerische Smartphone-Ortungsdienste ∗∗∗
---------------------------------------------
Sie haben Ihr Handy verloren – was nun? Eine Google-Suche nach „Handyortung“ ergibt über 1,5 Millionen Treffer. Apps und Services zur Handyortung erfreuen sich großer Beliebtheit. Doch Vorsicht vor „gratis“ Ortungs-Apps wie www.locating.mobi, www.geolite.mobi, www.goandfind.online. Diese führen in eine Abo-Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-smartphone-ortungsdie…
∗∗∗ Bericht: Ransomware-Gruppe REvil durch koordinierte Aktion mehrerer Staaten zerschlagen ∗∗∗
---------------------------------------------
An der Aktion sind unter anderem die USA beteiligt. In Sicherheitskreisen ist die Aktion wohl schon seit mehreren Tagen bekannt.
---------------------------------------------
https://www.zdnet.de/88397355/bericht-ransomware-gruppe-revil-durch-koordin…
∗∗∗ DDoS attacks hit multiple email providers ∗∗∗
---------------------------------------------
At least six email service providers have been hit by large distributed denial of service (DDoS) attacks on Friday, resulting in prolonged outages, The Record has learned.
---------------------------------------------
https://therecord.media/ddos-attacks-hit-multiple-email-providers/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 21 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt
∗∗∗ JSA11236 ∗∗∗
---------------------------------------------
2021-10 Security Bulletin: Junos OS: QFX5000 Series: Traffic from the network internal to the device (128.0.0.0) may be forwarded to egress interfaces (CVE-2021-31371)
---------------------------------------------
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11236
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0).
---------------------------------------------
https://lwn.net/Articles/873965/
∗∗∗ Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1107
∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1109
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 21-10-2021 18:00 − Freitag 22-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Evil Corp demands $40 million in new Macaw ransomware attacks ∗∗∗
---------------------------------------------
Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million…
∗∗∗ Hacking gang creates fake firm to hire pentesters for ransomware attacks ∗∗∗
---------------------------------------------
The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hacking-gang-creates-fake-fi…
∗∗∗ Using Kerberos for Authentication Relay Attacks ∗∗∗
---------------------------------------------
This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120.
---------------------------------------------
https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentic…
∗∗∗ Windows Exploitation Tricks: Relaying DCOM Authentication ∗∗∗
---------------------------------------------
In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it.
---------------------------------------------
https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-…
∗∗∗ GPS Daemon (GPSD) Rollover Bug ∗∗∗
---------------------------------------------
Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-r…
∗∗∗ CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader ∗∗∗
---------------------------------------------
Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause.
---------------------------------------------
https://www.thezdi.com/blog/2021/10/20/cve-2021-28632-amp-cve-2021-39840-by…
∗∗∗ ASEC Weekly Malware Statistics (October 11th, 2021 – October 17th, 2021) ∗∗∗
---------------------------------------------
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 11th, 2021 (Monday) to October 17th, 2021 (Sunday). For the main category, info-stealer ranked top with 58.2%, followed by Downloader with 24.6%, RAT (Remote Administration Tool) malware with 7.4%, Backdoor malware with 4.7%, Ransomware with 4.1%, and Banking malware with 0.9%.
---------------------------------------------
https://asec.ahnlab.com/en/28007/
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco SD-WAN Security Bug Allows Root Code Execution ∗∗∗
---------------------------------------------
The high-severity bug, tracked as CVE-2021-1529, is an OS command-injection flaw.
---------------------------------------------
https://threatpost.com/cisco-sd-wan-bug-code-execution-root/175669/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman).
---------------------------------------------
https://lwn.net/Articles/873746/
∗∗∗ Pulse Secure Pulse Connect Secure: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1103
∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1105
∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2021-32028) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera…
∗∗∗ Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow – CVE-2021-29835 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 20-10-2021 18:00 − Donnerstag 21-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
=====================
= News =
=====================
∗∗∗ Cybercrime matures as hackers are forced to work smarter ∗∗∗
---------------------------------------------
An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hacker…
∗∗∗ Franken-phish: TodayZoo built from other phishing kits ∗∗∗
---------------------------------------------
A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-b…
∗∗∗ "Stolen Images Evidence" campaign pushes Sliver-based malware, (Thu, Oct 21st) ∗∗∗
---------------------------------------------
On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver. Sliver is a framework used by red teams for adversary simluation and penetration testing.
---------------------------------------------
https://isc.sans.edu/diary/rss/27954
∗∗∗ Die Rückkehr der Rootkits – signiert von Microsoft ∗∗∗
---------------------------------------------
Forscher haben in den vergangenen Monaten verstärkt die vermeintlich ausgestorbenen Kernelschadprogramme wiederentdeckt. Eingeschleust werden sie heute anders.
---------------------------------------------
https://heise.de/-6224944
∗∗∗ Innovation aus Österreich: Fake-Shop Detector entlarvt Online-Betrüger ∗∗∗
---------------------------------------------
Fake-Shops im Internet werden immer zahlreicher und zugleich schwieriger zu erkennen. Unterstützung bietet ab sofort die Beta-Version des Fake-Shop Detectors: Das Tool untersucht im Internet-Browser in Echtzeit, ob es sich um seriöse oder betrügerische Onlineshops handelt und stellt somit ein Best Practice für den Nutzen und die Chancen des Einsatzes von Künstlicher Intelligenz für Konsumentinnen und Konsumenten dar.
---------------------------------------------
https://www.watchlist-internet.at/news/innovation-aus-oesterreich-fake-shop…
∗∗∗ Using Discord infrastructure for malicious intent ∗∗∗
---------------------------------------------
Research by: Idan Shechter & Omer Ventura Check Point Research (CPR) spotted a multi-functional malware with the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord There are currently over 150 million monthly active users on Discord Users must be aware that Discord’s bot…
---------------------------------------------
https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-mal…
∗∗∗ Google unmasks two-year-old phishing & malware campaign targeting YouTube users ∗∗∗
---------------------------------------------
Almost two years after a wave of complaints flooded Googles support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Googles security team has finally tracked down the root cause of these attacks.
---------------------------------------------
https://therecord.media/google-unmasks-two-year-old-phishing-malware-campai…
∗∗∗ Kernel Karnage – Part 1 ∗∗∗
---------------------------------------------
I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”);
---------------------------------------------
https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM veröffentlichte 19 Security Bulletins.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco hat acht Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, eines als "High".
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first…
∗∗∗ Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127 ∗∗∗
---------------------------------------------
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability.
---------------------------------------------
https://jira.atlassian.com/browse/JRASERVER-72003
∗∗∗ WinRAR’s vulnerable trialware: when free software isn’t free ∗∗∗
---------------------------------------------
In this article we discuss a vulnerability in the trial version of WinRAR which has significant consequences for the management of third-party software. This vulnerability allows an attacker to intercept and modify requests sent to the user of the application.
---------------------------------------------
https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-softwar…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws,
---------------------------------------------
https://lwn.net/Articles/873601/
∗∗∗ B. Braun Infusomat Space Large Volume Pump ∗∗∗
---------------------------------------------
This advisory contains mitigation for Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation vulnerabilities in the B. Braun Infusomat Space Large Volume Pump.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01
∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 ∗∗∗
---------------------------------------------
This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in ICONICS GENESIS64 and Mitsubishi Electric MC Works64 HMI SCADA systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-294-01
∗∗∗ Delta Electronics DIALink ∗∗∗
---------------------------------------------
This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Cross-site Scripting, Improper Neutralization of Formula Elements in a CSV File, Cleartext Storage of Sensitive Information, Uncontrolled Search Path Element, and Incorrect Default Permissions vulnerabilities in the Delta Electronics DIALink industrial automation server.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02
∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 OPC UA ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Uncontrolled Recursion vulnerability in ICONICS GENESIS64, Mitsubishi Electric MC Works64 third-party OPC Foundation products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-294-03
∗∗∗ RCE in GridPro Request Management for Windows Azure Pack (CVE-2021-40371) ∗∗∗
---------------------------------------------
We recently discovered a vulnerability in GridPro Request Management versions <=2.0.7905 for Windows Azure Pack by GridPro Software. The vulnerability was assigned CVE-2021-40371 by GridPro and in the worst case scenario allows attackers to remotely execute code on the server.
---------------------------------------------
https://certitude.consulting/blog/en/rce-in-gridpro-request-management-for-…
∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei FusionCube Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-…
∗∗∗ Security Advisory - CSV Injection Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-…
∗∗∗ Security Advisory - Improper Signature Management Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily