Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 11.10.2021
by Daily end-of-shift report 11 Oct '21

11 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-10-2021 18:00 − Montag 11-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Missbrauch mit Malware-Befall: Microsoft deaktiviert Excel 4.0-Makros in Office ∗∗∗ --------------------------------------------- Gegen immer mehr Angriffe über Excel-Makros geht Microsoft nun vor: Standardmäßig werden alle Excel 4.0-Makros in Office 365 demnächst deaktiviert. --------------------------------------------- https://heise.de/-6213387 ∗∗∗ Kaufen Sie nicht in Shops mit @thateer.top Mail-Adressen ein! ∗∗∗ --------------------------------------------- Derzeit tauchen zahlreiche Fake-Shops im Internet auf, die alle ähnlich aufgebaut sind, die gleichen Texte verwenden und unter einer dieser E-Mail-Adressen erreichbar sind: [...] --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-shops-mit-thatee… ∗∗∗ Ransomware wegen Homeoffice auf dem Vormarsch ∗∗∗ --------------------------------------------- Bedingt durch die Coronavirus-Pandemie arbeiten seit 2020 Menschen vermehrt im Homeoffice. Leider konnte die Absicherung dieser Arbeitsplätze mit dieser Entwicklung nicht Schritt halten. Gleichzeitig hat die Cyberkriminalität mit der verstärkten Telearbeit in Unternehmen durch die Pandemiekrise weiter aufgerüstet und ihre [...] --------------------------------------------- https://www.borncity.com/blog/2021/10/11/ransomware-auf-dem-vormarsch/ ∗∗∗ The 5 Phases of Zero Trust Adoption ∗∗∗ --------------------------------------------- Zero trust aims to replace implicit trust with explicit, continuously adaptive trust across users, devices, networks, applications, and data. --------------------------------------------- https://www.darkreading.com/endpoint/the-5-phases-of-zero-trust-adoption ∗∗∗ Scanning for Previous Oracle WebLogic Vulnerabilities, (Sat, Oct 9th) ∗∗∗ --------------------------------------------- In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch's limitations. The POST contains an init.sh script which doesn't appear to be available for download. --------------------------------------------- https://isc.sans.edu/diary/rss/27918 ∗∗∗ Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th) ∗∗∗ --------------------------------------------- If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27924 ∗∗∗ When criminals go corporate: Ransomware-as-a-service, bulk discounts and more ∗∗∗ --------------------------------------------- This summer, Abnormal Security discovered that some of its customers staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the "profits". --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/10/11/ransomware_a… ∗∗∗ CISA Releases Remote Access Guidance for Government Agencies ∗∗∗ --------------------------------------------- The United States Cybersecurity and Infrastructure Security Agency (CISA) last week announced the release a new guidance document: Trusted Internet Connections (TIC) 3.0 Remote User Use Case. --------------------------------------------- https://www.securityweek.com/cisa-releases-remote-access-guidance-governmen… ∗∗∗ InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks ∗∗∗ --------------------------------------------- Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available. --------------------------------------------- https://www.securityweek.com/inhand-router-flaws-could-expose-many-industri… ∗∗∗ Protect your network ∗∗∗ --------------------------------------------- So, you know where your wallet is, yes? And your phone - it's in your pocket, or just over there on the table? Excellent. You might be reading this on your laptop, so you know where that is. You might have a snazzy Smart TV or two? Perhaps you have joined [...] --------------------------------------------- https://connect.geant.org/2021/10/11/protect-your-network ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm). --------------------------------------------- https://lwn.net/Articles/872547/ ∗∗∗ Security Advisory - Use-after-free Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei PC Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-3757 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerability CVE-2021-31525 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ MediaWiki Extensions und Skins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1050 ∗∗∗ Apache OpenOffice und LibreOffice: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1051 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2021
by Daily end-of-shift report 08 Oct '21

08 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-10-2021 18:00 − Freitag 08-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rapid RYUK Ransomware Attack Group Christened as FIN12 ∗∗∗ --------------------------------------------- Prolific ransomware cybercrime groups approach underscores a complicated, layered model of cybercrime. --------------------------------------------- https://www.darkreading.com/attacks-breaches/rapid-ryuk-ransomware-attack-g… ∗∗∗ Sorting Things Out - Sorting Data by IP Address, (Fri, Oct 8th) ∗∗∗ --------------------------------------------- One thing that is huge in making sense of large volumes of data is sorting. Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest. --------------------------------------------- https://isc.sans.edu/diary/rss/27916 ∗∗∗ Free BrewDog beer, with a side order of shareholder PII? ∗∗∗ --------------------------------------------- BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers. --------------------------------------------- https://www.pentestpartners.com/security-blog/free-brewdog-beer-with-a-side… ∗∗∗ FontOnLake: Previously unknown malware family targeting Linux ∗∗∗ --------------------------------------------- ESET researchers discover a malware family with tools that show signs they’re used in targeted attacks. --------------------------------------------- https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-mal… ∗∗∗ NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guid… ∗∗∗ Microsoft to disable Excel 4.0 macros, one of the most abused Office features ∗∗∗ --------------------------------------------- Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year [...] --------------------------------------------- https://therecord.media/microsoft-to-disable-excel-4-0-macros-one-of-the-mo… ∗∗∗ Malicious PowerPoint Files Constantly Being Distributed ∗∗∗ --------------------------------------------- On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them. --------------------------------------------- https://asec.ahnlab.com/en/26597/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/872267/ ∗∗∗ Google Patches Four Severe Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google this week announced the release of an updated Chrome version for Windows, Mac and Linux, to address a total of four high-severity vulnerabilities in the browser. --------------------------------------------- https://www.securityweek.com/google-patches-four-severe-vulnerabilities-chr… ∗∗∗ Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ∗∗∗ --------------------------------------------- On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-h… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-23436 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors (CVE-2021-29906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39135 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Access Control Vulnerability Affects the User Interface of IBM Sterling File Gateway (CVE-2020-4654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-vulnerabil… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Packet Capture contains multiple vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251, CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39134 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2020-5008) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1049 ∗∗∗ Johnson Controls exacqVision Server Bundle ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01 ∗∗∗ Mobile Industrial Robots Vehicles and MiR Fleet Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-02 ∗∗∗ Johnson Controls exacqVision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-04 ∗∗∗ InHand Networks IR615 Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06 ∗∗∗ FATEK Automation Communication Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2021
by Daily end-of-shift report 07 Oct '21

07 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-10-2021 18:00 − Donnerstag 07-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Air-Gap-Hack: LAN-Kabel als Antenne nutzen, um Daten auszuleiten ∗∗∗ --------------------------------------------- Auch wenn ein Netzwerk nicht mit dem Internet verbunden ist, lassen sich Daten ausleiten. Dazu hat ein Forscher ein LAN-Kabel zur Antenne umfunktioniert. --------------------------------------------- https://www.golem.de/news/air-gap-hack-lan-kabel-als-antenne-nutzen-um-date… ∗∗∗ Cisco schließt Root-Lücke in Intersight Virtual Appliance ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Software wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-6211537 ∗∗∗ Neue Malware-Familie für Linux entdeckt ∗∗∗ --------------------------------------------- Die von ihren Entdeckern FontOnLake getaufte Malware-Familie aus trojanisierten Programmen, Backdoors und einem Rootkit eignet sich für gezielte Angriffe. --------------------------------------------- https://heise.de/-6211764 ∗∗∗ Tor Browser und Tails: Anonymisierender Browser & OS in abgesicherten Versionen ∗∗∗ --------------------------------------------- Etwas später als geplant ist eine neue Version der Linux-Distribution Tails erschienen. An Bord hat sie den ebenfalls taufrischen Tor Browser 10.5.8. --------------------------------------------- https://heise.de/-6211744 ∗∗∗ Hackers use stealthy ShellClient malware on aerospace, telco firms ∗∗∗ --------------------------------------------- Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-stealthy-shellcl… ∗∗∗ Unpatched Dahua cams vulnerable to unauthenticated remote access ∗∗∗ --------------------------------------------- Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnera… ∗∗∗ MacOS Security: What Security Teams Should Know ∗∗∗ --------------------------------------------- As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees. --------------------------------------------- https://www.darkreading.com/edge-articles/mac-attacks-how-secure-are-the-ma… ∗∗∗ Ransomware in the CIS ∗∗∗ --------------------------------------------- Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker. --------------------------------------------- https://securelist.com/cis-ransomware/104452/ ∗∗∗ Apache HTTP Server CVE-2021-41773 Exploited in the Wild ∗∗∗ --------------------------------------------- On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. --------------------------------------------- https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-417… ∗∗∗ Medtronics Insulin Pump Controllers Are Vulnerable to Hackers ∗∗∗ --------------------------------------------- The company just expanded its recall of insulin pump remote controllers that can be hijacked to alter insulin amounts. Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorized people could hijack the devices to alter how much insulin is delivered to a patient. --------------------------------------------- https://gizmodo.com/medtronics-insulin-pump-controllers-are-vulnerable-to-h… ∗∗∗ Life is Pane: Persistence via Preview Handlers ∗∗∗ --------------------------------------------- [...] The preview pane allows users to have a quick peek at the content of a selected file without actually having to open it. This feature is disabled on default Windows 10 builds, but can be enabled in the Explorer menu under View→Preview pane. While this seems relatively simple at face value, it is anything but under the hood. For example, how does Windows know how to display the contents of certain filetypes but not others? Are the previews controlled by Explorer or is it done in another process? Are these handlers abusable? We spent a few days exploring preview handlers to gain a deeper understanding of how they work and answer these questions. --------------------------------------------- https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3… ∗∗∗ CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation ∗∗∗ --------------------------------------------- In June of 2021, Microsoft released a patch to correct CVE-2021-26420 - a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu 16 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, sechs als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2021-10-07 ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: Cisco ATA19X Privilege Escalation and RCE ∗∗∗ --------------------------------------------- 1. Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the “user” account from performing “admin”-privileged actions. As such, a user who logs in with “user” privileges is able to perform actions that should only be performed by an “admin” user. 2. Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers [...] --------------------------------------------- https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalati… ∗∗∗ CVE-2021-33602: Denial-of-Service (DoS) Vulnerabilty ∗∗∗ --------------------------------------------- A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine. --------------------------------------------- https://www.f-secure.com/en/business/support-and-downloads/security-advisor… ∗∗∗ Typo3: Neue Version schließt zwei Sicherheitslücken im CMS ∗∗∗ --------------------------------------------- Lücken im Content-Management-System hätten Angreifern schlimmstenfalls Admin-Rechte gewähren können. Die neue Typo3-Version 11.5 bannt die Gefahr. --------------------------------------------- https://heise.de/-6211486 ∗∗∗ High Severity Vulnerability Patched in Access Demo Importer Plugin ∗∗∗ --------------------------------------------- On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 [...] --------------------------------------------- https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle). --------------------------------------------- https://lwn.net/Articles/872154/ ∗∗∗ Apache OpenOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1041 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2021
by Daily end-of-shift report 06 Oct '21

06 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-10-2021 18:00 − Mittwoch 06-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Collaborative Research on the CONTI Ransomware Group ∗∗∗ --------------------------------------------- Ransomware remains one of the pre-eminent cyber threats, with the evolution in tactics, techniques and procedures (TTPs) amongst threat actor groups over recent years upping the stakes for both victims and defenders. --------------------------------------------- https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-… ∗∗∗ Syniverse: Möglicherweise SMS von Milliarden Menschen gehackt ∗∗∗ --------------------------------------------- Hacker sind über Jahre in ein Unternehmen eingedrungen, das Anrufe und SMS zwischen Mobilfunkunternehmen austauscht. --------------------------------------------- https://www.golem.de/news/syniverse-moeglicherweise-sms-von-milliarden-mens… ∗∗∗ Threat hunting in large datasets by clustering security events ∗∗∗ --------------------------------------------- Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. --------------------------------------------- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets… ∗∗∗ Landespolizeidirektion Steiermark: Warnung vor Betrugsversuchen mittels LPD-SMS ∗∗∗ --------------------------------------------- Am Montag, 4. Oktober 2021, versendeten unbekannte Täter in betrügerischer Absicht SMS Nachrichten. Als Absender scheint "Landespolizeidirektion (LPD) auf". Die Polizei warnt eindringlich vor diesen Betrugsversuchen. --------------------------------------------- https://www.watchlist-internet.at/news/landespolizeidirektion-steiermark-wa… ∗∗∗ Unsere Tipps, um unseriöse Notfalldienste zu entlarven! ∗∗∗ --------------------------------------------- Bei Notfällen wie einem Rohrbruch, Stromausfall oder einem Gasgebrechen ist schnelle Hilfe notwendig. Häufig bleibt da für eine genaue Überprüfung der Handwerksdienste keine Zeit. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-tipps-um-unserioese-notfalldi… ∗∗∗ Cybersecurity in Power Grids: Challenges and Opportunities. (arXiv:2105.00013v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- Increasing volatilities within power transmission and distribution forcepower grid operators to amplify their use of communication infrastructure tomonitor and control their grid. The resulting increase in communication creates a larger attack surface for malicious actors. --------------------------------------------- http://arxiv.org/abs/2105.00013 ===================== = Vulnerabilities = ===================== ∗∗∗ Actively exploited Apache 0-day also allows remote code execution ∗∗∗ --------------------------------------------- Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed. These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlicht 31 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3). --------------------------------------------- https://lwn.net/Articles/872029/ ∗∗∗ FortiWebManager - Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-027 ∗∗∗ FortiAnalyzer & FortiManager - Forticloud credentials observed in cleartext in the logfile ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-112 ∗∗∗ FortiSDNConnector - Credential leak ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-183 ∗∗∗ FortiClientEMS - Session cookie does not expire after logout ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-072 ∗∗∗ XSA-386 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-386.html ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1034 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-01 ∗∗∗ Emerson WirelessHART Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 ∗∗∗ Moxa MXview Network Management Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-03 ∗∗∗ Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSMA-18-219-02 ∗∗∗ CISA Releases Security Advisory for Honeywell Experion and ACE Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2021
by Daily end-of-shift report 05 Oct '21

05 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 04-10-2021 18:00 − Dienstag 05-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New UEFI bootkit used to backdoor Windows devices since 2012 ∗∗∗ --------------------------------------------- A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since at least 2012. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-uefi-bootkit-used-to-bac… ∗∗∗ HiKam - "Hi – Ich bin (nicht) deine Kamera" ∗∗∗ --------------------------------------------- Die Sicherheit von IoT-Geräten, wie z.B. Überwachungskameras, sollte viel mehr im Fokus von Herstellern und Nutzern liegen. In der Realität ist dies leider nicht der Fall. Jahr für Jahr werden mehr IoT-Geräte entdeckt, die eine P2P-Cloud-Verbindung nutzen. Der Defcon-Talk von Paul Marrapese letztes Jahr und die letzte Entdeckung von Mandiant beschreiben nur einen Auszug dessen, was sich in diesem Bereich der IT-Security abgespielt hat. Im Rahmen dieses Blogposts möchten wir Ihnen aktuelle Informationen zur zugrundeliegenden IoT-Sicherheitsproblematik anhand eines konkreten Gerätes vorstellen: die HiKam S6. --------------------------------------------- https://sec-consult.com/de/blog/detail/hikam-hi-ich-bin-nicht-deine-kamera/ ∗∗∗ Kleinanzeigenbetrug mit gefälschter Post-Website ∗∗∗ --------------------------------------------- Kriminelle verwenden eine gefälschte Post-Website www.post-service.online für Kleinanzeigenbetrug. Sie suchen nach hochpreisigen Angeboten und geben vor, den Kauf über einen erfundenen Kurierservice der Post abwickeln zu wollen. Ziel ist es, den Opfern das Geld aus der Tasche zu ziehen, denn in weiterer Folge werden Kreditkartendaten abgefragt und die Freigabe einer Zahlung verlangt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-gefaelschter… ===================== = Vulnerabilities = ===================== ∗∗∗ Löchrige UPnP-Umsetzung in alten Broadcom-SDKs macht Router angreifbar ∗∗∗ --------------------------------------------- Einige Routermodelle mit EoL-Status etwa von Linksys & Cisco sind dank Lücken in alten Broadcom-SDK-Versionen via UPnP angreifbar. Updates gibt es nicht. --------------------------------------------- https://heise.de/-6209100 ∗∗∗ Sicherheitsupdate: Angreifer könnten auf Dateien von Apache-Webservern zugreifen ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Apache-Webserver abgesehen. Davon ist aber nur eine bestimmte Version bedroht. Die Path-Traversal-Lücke (CVE-2021-41773) betrifft ausschließlich die Apache-HTTP-Server-Version 2.4.49. --------------------------------------------- https://heise.de/-6209130 ∗∗∗ TYPO3-CORE-SA-2021-015: HTTP Host Header Injection in Request Handling ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment. CVE-ID: CVE-2021-41114 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2021-015 ∗∗∗ TYPO3-CORE-SA-2021-014: Cross-Site-Request-Forgery in Backend URI Handling ∗∗∗ --------------------------------------------- It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. [...] To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2021-014 ∗∗∗ Android Security Bulletin—October 2021 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-10-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2021-10-01 ∗∗∗ docker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in docker ausnutzen, um seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1033 ∗∗∗ SYSS-2021-047: Authentication Bypass in Omikron MultiCash ∗∗∗ --------------------------------------------- In der Desktopanwendung MultiCash 4 können mittels der Rechte- und Passwortüberprüfung administrative Rechte über die Anwendung erlang werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-047-authentication-bypass-in-omi… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to multiple vulnerabilities in Apache Tika ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: Vulnerability in MetadataExtractor used by Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2019-14262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-metadata… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2021
by Daily end-of-shift report 04 Oct '21

04 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-10-2021 18:00 − Montag 04-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware: Conti-Erpressergruppe verbittet sich Leaks ihrer Verhandlungs-Chats ∗∗∗ --------------------------------------------- Die Cyberkriminellen hinter der Conti-Ransomware drohen jedem Opfer mit Veröffentlichung seiner Daten, sollten Details über die Erpressung im Netz auftauchen. --------------------------------------------- https://heise.de/-6206790 ∗∗∗ Andoid-Banking-Trojaner Hydra hat es auf Commerzbank-Kunden abgesehen ∗∗∗ --------------------------------------------- Online-Kriminelle versuchen Kunden der Commerzbank abzuzocken. Damit es dazu kommt, müssen Opfer aber mitspielen. --------------------------------------------- https://heise.de/-6207752 ∗∗∗ SMS mit Link zu Fotoalbum verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Zahlreiche NutzerInnen berichten, dass sie SMS mit einem Link zu einem Fotoalbum erhalten. Angeblich wurden dort private Fotos hochgeladen. Achtung: Der Link führt zu Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/sms-mit-link-zu-fotoalbum-verbreitet… ∗∗∗ Webinar: Internetkriminalität - so schützen Sie sich! ∗∗∗ --------------------------------------------- Internetfallen & Betrugsmaschen werden immer ausgeklügelter. Umso wichtiger ist die Fähigkeit, Merkmale einer Betrugsmasche frühzeitig zu erkennen. In einem Webinar geben wir Ihnen einen Überblick über aktuelle Bedrohungen im Internet und zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-so-sch… ∗∗∗ Endpoint Security ist überall gefragt ∗∗∗ --------------------------------------------- Viele Endpunkte mögen auf den ersten Blick unwichtig erscheinen. Aber ungeschützte Systeme mit oder ohne Internetzugang sind ein Einfallstor für Hacker. Deshalb ist ein umfassendes Konzept für Endpoint Security für Unternehmen jeder Größe sehr wichtig. --------------------------------------------- https://www.zdnet.de/88397023/endpoint-security-ist-ueberall-gefragt/ ∗∗∗ New Atom Silo ransomware targets vulnerable Confluence servers ∗∗∗ --------------------------------------------- Atom Silo, a newly spotted ransomware group, is targeting a recently patched and actively exploited Confluence Server and Data Center vulnerability to deploy their ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-atom-silo-ransomware-tar… ∗∗∗ Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts ∗∗∗ --------------------------------------------- The group uses millions of password combos at the rate of nearly 2,700 login attempts per second with new techniques that push the ATO envelope. --------------------------------------------- https://threatpost.com/proxy-phantom-fraud-ecommerce-accounts/175241/ ∗∗∗ PoC Exploit Released for macOS Gatekeeper Bypass ∗∗∗ --------------------------------------------- Rasmus Sten, a software engineer with F-Secure, has released proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass that Apple patched in April this year. The PoC exploit targets CVE-2021-1810, a vulnerability that can lead to the bypass of all three protections that Apple implemented against malicious file downloads, namely file quarantine, Gatekeeper, and notarization. --------------------------------------------- https://www.securityweek.com/poc-exploit-released-macos-gatekeeper-bypass ∗∗∗ Boutique "Dark" Botnet Hunting for Crumbs ∗∗∗ --------------------------------------------- [...] But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard. One such botnet is "Dark Bot". --------------------------------------------- https://isc.sans.edu/diary/rss/27898 ∗∗∗ Expired Lets Encrypt Root Certificate Causes Problems for Many Companies ∗∗∗ --------------------------------------------- A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems. read more --------------------------------------------- https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-p… ∗∗∗ BazarLoader and the Conti Leaks ∗∗∗ --------------------------------------------- In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while [...] --------------------------------------------- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ ∗∗∗ Misconfigured Airflows Leak Thousands of Credentials from Popular Services ∗∗∗ --------------------------------------------- Apache Airflow is the #1 starred open-source workflows application on GitHub Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-cre… ∗∗∗ Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester ∗∗∗ --------------------------------------------- In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share. --------------------------------------------- https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, [...] --------------------------------------------- https://lwn.net/Articles/871841/ ∗∗∗ Shodan Verified Vulns 2021-10-01 ∗∗∗ --------------------------------------------- Mit 2021-10-01 sah die Schwachstellenlandschaft in Österreich laut Shodan wie folgt aus: Wie auch in den letzten Monaten dominieren TLS/SSL-Schwachstellen sowie Lücken in Microsofts Exchange Server das Bild. Während Server, die für die im März veröffentlichte und geschlossene "ProxyLogon" Exploit-Chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) anfällig sind, mittlerweile eher selten sind, scheinen die im April bzw. Mai [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/10/shodan-verified-vulns-2021-10-01 ∗∗∗ Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series ∗∗∗ --------------------------------------------- BOSCH-SA-741752: The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which - in combination - ultimately enable an attacker to log in to the system. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-741752.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Netty vulnerability CVE-2021-21295 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55834441 ∗∗∗ OpenSSL vulnerability CVE-2021-3712 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19559038 ∗∗∗ Red Enterprise Linux Advanced Virtualization: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2021
by Daily end-of-shift report 01 Oct '21

01 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-09-2021 18:00 − Freitag 01-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hydra malware targets customers of Germanys second largest bank ∗∗∗ --------------------------------------------- The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germanys second-largest financial institution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydra-malware-targets-custom… ∗∗∗ Flubot Android malware now spreads via fake security updates ∗∗∗ --------------------------------------------- The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-android-malware-now-s… ∗∗∗ Hackers rob thousands of Coinbase customers using MFA flaw ∗∗∗ --------------------------------------------- Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the companys SMS multi-factor authentication security feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-rob-thousands-of-coi… ∗∗∗ New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st) ∗∗∗ --------------------------------------------- LOLBAS (“Living Off the Land Binaries And Scripts”) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation). --------------------------------------------- https://isc.sans.edu/diary/27892 ∗∗∗ Introduction to ICS Security Part 3 ∗∗∗ --------------------------------------------- In part 3 of the Introduction to ICS blog series, Stephan Mathezer discusses Remote Access Connections into ICS, examines why they here to stay, and reviews the best practices for securing them. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-3/ ∗∗∗ Android Trojan GriftHorse, the gift horse you definitely should look in the mouth ∗∗∗ --------------------------------------------- The GriftHorse Android Trojan is a widespread campaign with millions of victims in over 70 countries. --------------------------------------------- https://blog.malwarebytes.com/android/2021/09/android-trojan-grifthorse-the… ∗∗∗ ESET Threat Report T2 2021 ∗∗∗ --------------------------------------------- Unsere Sicherheitsforscher analysieren die Cybersicherheitslage und die ESET-Telemetriedaten im zweiten Drittel des Jahres 2021. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/09/30/eset-threat-report-t2-202… ∗∗∗ Heute startet der Europäische Monat der Cyber-Sicherheit! ∗∗∗ --------------------------------------------- Wie jedes Jahr steht auch heuer der Oktober ganz im Zeichen der Cyber-Sicherheit. Auch Österreich nimmt wieder an der EU-weiten Kampagne „European Cyber Security Month“ (ESCM) teil. Ziel ist es, das Bewusstsein über die Risiken im Netz zu stärken und gezielt Informationen zur IT-Sicherheit zu verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/heute-startet-der-europaeische-monat… ∗∗∗ Credential Harvesting at Scale Without Malware ∗∗∗ --------------------------------------------- Email credential harvesting can lead to business email compromise and ransomware. Often, attackers simply ask for victims’ credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-harvesting/ ∗∗∗ Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires ∗∗∗ --------------------------------------------- Experts had been warning for weeks that there would be issues resulting from the expiration of root CA certificates provided by Lets Encrypt. --------------------------------------------- https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-r… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 11 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, krb5, openssl1.0, and taglib), Fedora (cifs-utils), SUSE (libqt5-qtbase and rubygem-activerecord-4_2), and Ubuntu (linux-raspi, linux-raspi-5.4 and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/871564/ ∗∗∗ Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google on Thursday announced the rollout of a Chrome update to address four security vulnerabilities, including two that are already being exploited in the wild. --------------------------------------------- https://www.securityweek.com/google-patches-two-more-exploited-zero-day-vul… ∗∗∗ Command Injection Vulnerability in QVR ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-38 ∗∗∗ Stored XSS Vulnerabilities in Photo Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-41 ∗∗∗ Stored XSS Vulnerability in Photo Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-42 ∗∗∗ Stored XSS Vulnerability in Image2PDF ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-43 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2021
by Daily end-of-shift report 30 Sep '21

30 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-09-2021 18:00 − Donnerstag 30-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomEXX ransomware Linux encryptor may damage victims files ∗∗∗ --------------------------------------------- Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-linux-e… ∗∗∗ Stop That Phish! ∗∗∗ --------------------------------------------- Although ransomware holds a significant mindshare in security, phishing continues to be an effective and efficient tool for threat actors. In this blog, Tim Helming walks through various anti-phishing tools and methods available to defenders. --------------------------------------------- https://www.domaintools.com/resources/blog/stop-that-phish ∗∗∗ An overview of malware hashing algorithms ∗∗∗ --------------------------------------------- VirusTotals "Basic Properties" tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures. Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function? --------------------------------------------- https://www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-a… ∗∗∗ TLS-Zertifikate: Altes Lets-Encrypt-Root läuft ab ∗∗∗ --------------------------------------------- Bei Fehlkonfigurationen und alten Geräten können Zertifikatsfehler mit Lets Encrypt auftreten. --------------------------------------------- https://www.golem.de/news/tls-zertifikate-altes-let-s-encrypt-root-laeuft-a… ∗∗∗ GhostEmperor: From ProxyLogon to kernel mode ∗∗∗ --------------------------------------------- While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor. --------------------------------------------- https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/ ∗∗∗ What is Cryptocurrency Mining Malware? ∗∗∗ --------------------------------------------- Cryptocurrency mining malware is typically a stealthy malware that farms the resources on a system (computers, smartphones, and other electronic devices connected to the internet) to generate revenue for the cyber criminals controlling it. Instead of using video game consoles or graphics card farms, these particular cryptominers are using the computers and servers of the people around them for their processing power - without permission. --------------------------------------------- https://blog.sucuri.net/2021/09/what-is-cryptocurrency-mining-malware-2.html ∗∗∗ Apple-Pay-Funktion erlaubt angeblich Geldklau von gesperrten iPhones ∗∗∗ --------------------------------------------- Sicherheitsexperten haben die Express-ÖPNV-Funktion auf Herz und Nieren getestet und kommen zu dem Schluss, dass unerwünschte Visa-Zahlungen möglich sind. --------------------------------------------- https://heise.de/-6204960 ∗∗∗ Bericht: Android-Trojaner GriftHorse kassiert bei über 10 Millionen Opfern ab ∗∗∗ --------------------------------------------- Online-Kriminelle sollen mit Trojaner-Apps Abos abschließen und darüber hunderte Millionen Euro erbeutet haben, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6205272 ∗∗∗ A wolf in sheeps clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus ∗∗∗ --------------------------------------------- By Vitor Ventura and Arnaud Zobec. Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. --------------------------------------------- https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html ∗∗∗ Telemetry Report Shows Patch Status of High-Profile Vulnerabilities ∗∗∗ --------------------------------------------- A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user. --------------------------------------------- https://www.securityweek.com/telemetry-report-shows-patch-status-high-profi… ∗∗∗ The Ransomware Threat in 2021 ∗∗∗ --------------------------------------------- New research from Symantec finds that organizations face an unprecedented level of danger from targeted ransomware attacks as the number of adversaries multiply alongside an increased sophistication in tactics. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ra… ∗∗∗ Facebook open-sources internal tool used to detect security bugs in Android apps ∗∗∗ --------------------------------------------- Facebook has open-sourced Mariana Trench, one of its internal security tools, used by its security teams for finding and fixing bugs in Android and Java applications. --------------------------------------------- https://therecord.media/facebook-open-sources-internal-tool-used-to-detect-… ∗∗∗ Ransomware attack disrupts hundreds of bookstores across France, Belgium, and the Netherlands ∗∗∗ --------------------------------------------- Hundreds of bookstores across France, Belgium, and the Netherlands have had their operations disrupted this week after a ransomware attack crippled the IT systems of TiteLive, a French company that operates a SaaS platform for book sales and inventory management. --------------------------------------------- https://therecord.media/ransomware-attack-disrupts-hundreds-of-bookstores-a… ∗∗∗ After the storm - how to move on with NTLM ∗∗∗ --------------------------------------------- I remember that, about 15 years ago, we already flagged the absence of SMB signing as a vulnerability in reports. Though at that time, we circled more around the theoretical risk of someone tampering SMB traffic due to the lack of integrity protection. None of us really had an idea how to make use of that vulnerability. The later obviously changed. --------------------------------------------- https://cyberstoph.org/posts/2021/09/after-the-storm-how-to-move-on-with-nt… ===================== = Vulnerabilities = ===================== ∗∗∗ Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042 ∗∗∗ --------------------------------------------- Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. It does not sufficiently sanitize user input. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bundle. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-042 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java, uwsgi, and weechat), Fedora (libspf2, libvirt, mingw-python3, mono-tools, python-flask-restx, and sharpziplib), Mageia (gstreamer, libgcrypt, libgd, mosquitto, php, python-pillow, qtwebengine5, and webkit2), openSUSE (postgresql12 and postgresql13), SUSE (haproxy, postgresql12, postgresql13, and rabbitmq-server), and Ubuntu (commons-io and linux-oem-5.13). --------------------------------------------- https://lwn.net/Articles/871424/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 12 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Boston Scientific Zoom Latitude ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques, Improper Access Control, Missing Support for Integrity Check, and Reliance on Component That is Not Updateable vulnerabilities in the Boston Scientific Zoom Latitude programmer/recorder/monitor (PRM) 3120 model. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210929… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2021
by Daily end-of-shift report 29 Sep '21

29 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-09-2021 18:00 − Mittwoch 29-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NSA, CISA share VPN security tips to defend against hackers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released guidance for hardening the security of virtual private network (VPN) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nsa-cisa-share-vpn-security-… ∗∗∗ Why Should I Care About HTTP Request Smuggling? ∗∗∗ --------------------------------------------- HTTP request smuggling is a growing vulnerability, but you can manage the risk with proper server configuration. --------------------------------------------- https://www.darkreading.com/edge-ask-the-experts/why-should-i-care-about-ht… ∗∗∗ DarkHalo after SolarWinds: the Tomiris connection ∗∗∗ --------------------------------------------- We discovered a campaign delivering the Tomiris backdoor that shows a number of similarities with the Sunshuttle malware distributed by DarkHalo APT and target overlaps with Kazuar. --------------------------------------------- https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104… ∗∗∗ Conti Ransomware Expands Ability to Blow Up Backups ∗∗∗ --------------------------------------------- The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software. --------------------------------------------- https://threatpost.com/conti-ransomware-backups/175114/ ∗∗∗ How nation-state attackers like NOBELIUM are changing cybersecurity ∗∗∗ --------------------------------------------- In the first of a four-part series on the NOBELIUM nation-state attack, we describe the attack and explain why enterprises should be cautious. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/28/how-nation-state-attacke… ∗∗∗ Serious Security: Let’s Encrypt gets ready to go it alone (in a good way!) ∗∗∗ --------------------------------------------- Lets Encrypt is set to become a mainstream, self-certifying web certificate authority - heres why it took so many years. --------------------------------------------- https://nakedsecurity.sophos.com/2021/09/28/serious-security-lets-encrypt-g… ∗∗∗ Keeping Track of Time: Network Time Protocol and a GPSD Bug, (Wed, Sep 29th) ∗∗∗ --------------------------------------------- The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. --------------------------------------------- https://isc.sans.edu/diary/rss/27886 ∗∗∗ Phone screenshots accidentally leaked online by stalkerware-type company ∗∗∗ --------------------------------------------- Stalkerware-type company pcTattleTale hasnt been very careful about securing the screenshots it sneakily takes from its victims phones. --------------------------------------------- https://blog.malwarebytes.com/stalkerware/2021/09/phone-screenshots-acciden… ∗∗∗ Betrügerische Mail im Namen der Volksbank unterwegs ∗∗∗ --------------------------------------------- Derzeit werden massenhaft betrügerische Phishing-Mails im Namen der Volksbank verschickt. Angeblich wurde eine „irrtümlich ausgeführte Überweisung“ gesperrt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mail-im-namen-der-vol… ∗∗∗ New GriftHorse malware has infected more than 10 million Android phones ∗∗∗ --------------------------------------------- Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis. --------------------------------------------- https://therecord.media/new-grifthorse-malware-has-infected-more-than-10-mi… ===================== = Vulnerabilities = ===================== ∗∗∗ AirTags als Echtwelt-Trojaner: Apple lässt XSS-Lücke über Monate offen ∗∗∗ --------------------------------------------- Ein weiterer Sicherheitsforscher hat wegen Verärgerung über Apples zugeknöpftes Bug-Bounty-Programm eine Zero-Day-Schwachstelle veröffentlicht. --------------------------------------------- https://heise.de/-6204364 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (iaito, libssh, radare2, and squashfs-tools), openSUSE (hivex, shibboleth-sp, and transfig), SUSE (python-urllib3 and shibboleth-sp), and Ubuntu (apache2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, and linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11). --------------------------------------------- https://lwn.net/Articles/871227/ ∗∗∗ Security Bulletin: Bulletin: App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bulletin-app-connect-prof… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.14.0 ESR + CVE-2021-29967) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF14 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affects App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29834 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Aspera Web Application (Console, Shares) are affected by jQuery vulnerability (cross-site scripting) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-application-co… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU (minus CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ F-Secure Internet Gatekeeper: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1020 ∗∗∗ Elastic Stack Misconfiguration can lead to DDoS or Data Exfiltration ∗∗∗ --------------------------------------------- https://securitythreatnews.com/2021/09/29/elastic-stack-misconfiguration-ca… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2021
by Daily end-of-shift report 28 Sep '21

28 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-09-2021 18:00 − Dienstag 28-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor ∗∗∗ --------------------------------------------- In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobeli… ∗∗∗ TLS 1.3 and SSL - the current state of affairs, (Tue, Sep 28th) ∗∗∗ --------------------------------------------- It has been over 3 years since the specification for TLS 1.3 was published, and although the protocol has some minor drawbacks, it is undoubtedly the most secure TLS version so far. One would therefore hope that the adoption of TLS 1.3 and its use on web servers around the globe would steadily increase over time (ideally hand in hand with a slow disappearance of older cryptographic protocols, especially the historic SSL 2.0 and SSL 3.0). --------------------------------------------- https://isc.sans.edu/diary/rss/27882 ∗∗∗ Securing mobile devices. A timely reminder ∗∗∗ --------------------------------------------- If you’re commuting again or if you’re responsible for securing your people’s devices it’s a good idea to revisit and review your security admin for mobile devices. This post isn’t breaking any new ground, but it is a good place to start that review process, and think about your security behaviours. --------------------------------------------- https://www.pentestpartners.com/security-blog/securing-mobile-devices-a-tim… ∗∗∗ Vorsicht, wenn die Wohnungsbesichtigung über booking.com abgewickelt werden sollte ∗∗∗ --------------------------------------------- Sie haben endlich Ihre Traumwohnung gefunden? Der einzige Haken: Sie sollten schon vor der Besichtigung eine Kaution bezahlen, die angeblich von booking.com verwaltet wird? Dann sind Sie auf ein betrügerisches Wohnungsinserat gestoßen. Zahlen Sie keinesfalls eine Kaution vor der Besichtigung. Diese Wohnung gibt es nicht und Sie verlieren Ihre geleistete Zahlung! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-die-wohnungsbesichtigu… ∗∗∗ Highlights From the Unit 42 Cloud Threat Report, 2H 2021 ∗∗∗ --------------------------------------------- In the Unit 42 Cloud Threat Report, 2H 2021, our researchers dive deep into the full scope of supply chain attacks in the cloud and explain often misunderstood details about how they occur. We also provide actionable recommendations any organization can adopt immediately to begin protecting their software supply chains in the cloud. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-threat-report-2h-2021/ ∗∗∗ Anatomy and Disruption of Metasploit Shellcode ∗∗∗ --------------------------------------------- In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shell… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1116: NETGEAR R7800 net-cgi Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 routers. Authentication is not required to exploit this vulnerability. CVE ID: CVE-2021-34947 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1116/ ∗∗∗ SSA-728618: Multiple Vulnerabilities in Solid Edge before SE2021MP8 ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge that fixes multiple file parsing vulnerabilities which could be triggered when the application reads files in IFC, JT or OBJ formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-728618.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim). --------------------------------------------- https://lwn.net/Articles/871096/ ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- D-LINK Router DIR-X1560 < 1.04B04, D-LINK Router DIR-X6060 < 1.02B01 Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiedenen D-LINK Routern ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1019 ∗∗∗ Security Bulletin: IBM Security SOAR is using a version of Elasticsearch that has known vulnerabilities (CVE-2021-22137, CVE-2021-22135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2021-32029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily