Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - 14.04.2021
by Daily end-of-shift report 14 Apr '21

14 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-04-2021 18:00 − Mittwoch 14-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft schließt weitere Lücken in Windows und Mail/Groupware-System Exchange ∗∗∗ --------------------------------------------- Microsoft veröffentlicht über 2700 kritische und wichtige Updates für Exchange und Windows 10, aber auch für Windows 7 und 8.1 sowie ältere Serversysteme. --------------------------------------------- https://heise.de/-6015002 ∗∗∗ Patchday: Adobe verteilt Sicherheitsupdates gegen teils kritische Lücken ∗∗∗ --------------------------------------------- Aus Adobe Photoshop, Digital Editions & Bridge (Windows, macOS) wurden kritische Sicherheitslücken entfernt. Auch RoboHelp für Win bekam ein wichtiges Update. --------------------------------------------- https://heise.de/-6015086 ∗∗∗ Microsoft-Patchday: Updates entfernen aktiv genutzten Angriffsweg aus Windows ∗∗∗ --------------------------------------------- Zum Patchday hat Microsoft unter anderem eine Schwachstelle im Desktop Window Manager in Win 10 & Server-Pendants behoben, die derzeit aktiv ausgenutzt wird. --------------------------------------------- https://heise.de/-6015082 ∗∗∗ Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere ∗∗∗ --------------------------------------------- Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-azure-sphere-apri… ∗∗∗ Vorsicht! Unseriöse Praktiken bei über 120 Datingplattformen von Date4Friend AG! ∗∗∗ --------------------------------------------- Die Schweizer Firma Date4Friend AG betreibt zahlreiche Datingplattformen im deutschsprachigen Raum. Doch viele NutzerInnen ärgern sich über die Angebote von Date4Friend AG. So entpuppen sich eigentlich günstige Abos rasch als teure Abo-Falle. VerbraucherInnen beschweren sich zudem darüber, dass Abo-Kündigungen nicht angenommen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-unserioese-praktiken-bei-ue… ∗∗∗ 100,000 Google Sites Used to Install SolarMarket RAT ∗∗∗ --------------------------------------------- Search-engine optimization (SEO) tactics direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains. --------------------------------------------- https://threatpost.com/google-sites-solarmarket-rat/165396/ ∗∗∗ Jahresbericht 2020 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- 2020 war einiges los in Bezug auf IT-Sicherheit in Österreich: Im Jänner sorgten CVE-2019-19781 a.k.a. "Shitrix" und der Angriff auf das BMEIA für einen turbulenten Start und den Rest des Jahres beschäftigten uns unter anderem Emotet, Ransomware und nicht eingespielte Updates. Aber auch abseits vom Tagesgeschäft der IT-Sicherheit hat sich einiges getan [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/4/jahresbericht-2020-von-certat-und-govce… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483: Four Critical Microsoft Exchange Server Vulnerabilities Patched in April Patch Tuesday ∗∗∗ --------------------------------------------- One month after disclosing four zero-day vulnerabilities in Exchange Server, Microsoft addresses four additional vulnerabilities discovered by the National Security Agency (NSA). --------------------------------------------- https://de.tenable.com/blog/cve-2021-28480-cve-2021-28481-cve-2021-28482-cv… ∗∗∗ New WhatsApp Bugs Couldve Let Attackers Hack Your Phone Remotely ∗∗∗ --------------------------------------------- Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even compromise encrypted communications. The flaws take aim at devices running Android versions up to and including Android 9 by carrying out whats known as a "man-in-the-disk" attack [...] --------------------------------------------- https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.ht… ∗∗∗ Recent Patches Rock the Elementor Ecosystem ∗∗∗ --------------------------------------------- Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints. --------------------------------------------- https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (screen), Debian (clamav, courier-authlib, and tomcat9), Red Hat (thunderbird), SUSE (clamav, glibc, kernel, open-iscsi, opensc, spamassassin, thunderbird, wpa_supplicant, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/852627/ ∗∗∗ New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291) ∗∗∗ --------------------------------------------- CVE-2021-20291 leads to a denial of service of the container engines CRI-O and Podman when pulling a malicious image from a registry. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2021-20291/ ∗∗∗ Schneider Electric SoMachine Basic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Schneider Electric SoMachine Basic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-01 ∗∗∗ Advantech WebAccessSCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-02 ∗∗∗ JTEKT TOYOPUC products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Resource Shutdown or Release vulnerability in JTEKT TOYOPUC programmable logic controller products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Reflected cross-site scripting in Microsoft Azure DevOps Server ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-in-microso… ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0373 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2021
by Daily end-of-shift report 13 Apr '21

13 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-04-2021 18:00 − Dienstag 13-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ NAME:WRECK DNS vulnerabilities affect over 100 million devices ∗∗∗ --------------------------------------------- Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/name-wreck-dns-vulnerabiliti… ∗∗∗ RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers ∗∗∗ --------------------------------------------- An Indian security researcher has publicly published a proof-of-concept (PoC) exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. --------------------------------------------- https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html ∗∗∗ CISA Details Malware Found on Hacked Exchange Servers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware. --------------------------------------------- https://www.securityweek.com/cisa-details-malware-found-hacked-exchange-ser… ∗∗∗ Unseriöse Kreditkartenabbuchungen von screenacy.co ∗∗∗ --------------------------------------------- Wenn von Ihrer Kreditkarte monatlich ein Betrag von screenacy.co abgebucht wird, ohne dass Sie etwas bestellt oder abonniert haben, sind Sie höchstwahrscheinlich in eine Abo-Falle getappt. Viele Betroffene können nicht nachvollziehen, wo und warum es zu einem Vertragsabschluss gekommen ist - meist aber durch bewusste Täuschung. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-kreditkartenabbuchungen-v… ∗∗∗ Winter 2020 Network Attack Trends: Internet of Threats ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Threat Assessment: Clop Ransomware ∗∗∗ --------------------------------------------- In response to an uptick in Clop ransomware activity, we provide an overview and courses of action that can be used to mitigate it. --------------------------------------------- https://unit42.paloaltonetworks.com/clop-ransomware/ ∗∗∗ Threat Actor Type Inference and Characterization within Cyber Threat Intelligence. (arXiv:2103.02301v3 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence. --------------------------------------------- https://arxiv.org/abs/2103.02301 ===================== = Vulnerabilities = ===================== ∗∗∗ [20210402] - Core - Inadequate filters on module layout settings ∗∗∗ --------------------------------------------- Inadequate filters on module layout settings could lead to an LFI. --------------------------------------------- https://developer.joomla.org:443/security-centre/851-20210402-core-inadequa… ∗∗∗ [20210401] - Core - Escape xss in logo parameter error pages ∗∗∗ --------------------------------------------- Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages. --------------------------------------------- https://developer.joomla.org:443/security-centre/850-20210401-core-escape-x… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libpano13), Fedora (mosquitto and perl-Net-CIDR-Lite), Mageia (curl, mongodb, pdfbox, python-jinja2, rygel, spamassassin, tor, velocity, webkit2, and wireshark), openSUSE (umoci), Oracle (389-ds:1.4, kernel, and virt:ol and virt-devel:rhel), Red Hat (kernel and kpatch-patch), Slackware (dnsmasq and irssi), and SUSE (cifs-utils, rubygem-actionpack-4_2, and spamassassin). --------------------------------------------- https://lwn.net/Articles/852526/ ∗∗∗ Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices ∗∗∗ --------------------------------------------- An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage (NAS) devices that run the Surveillance Station video management system. --------------------------------------------- https://www.securityweek.com/exploit-released-critical-vulnerability-affect… ∗∗∗ SAP Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0370 ∗∗∗ ZDI-21-406: (0Day) Microsoft 3D Builder PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-406/ ∗∗∗ ZDI-21-405: (0Day) Microsoft Print 3D PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-405/ ∗∗∗ D-Bus vulnerability CVE-2020-12049 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16729408 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-163226 V1.0: CELL File Parsing Vulnerability in Tecnomatix RobotExpert ∗∗∗ --------------------------------------------- Siemens Tecnomatix RobotExpert version V16.1 fixes a vulnerability that could be triggered when the application reads CELL files. If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163226.txt ∗∗∗ SSA-185699 V1.0: Out of Bounds Write Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains two out of bounds write vulnerabilities in the handling of DNS responses that could allow an attacker to cause a denial-of-service condition or to remotely execute code. Siemens has released updates for several affected products [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-185699.txt ∗∗∗ SSA-187092 V1.0: Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200 ∗∗∗ --------------------------------------------- Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-187092.txt ∗∗∗ SSA-201384 V1.0: Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerability described in this advisories is from this set. The DNS client of affected products contains a vulnerability related to the handling of UDP port numbers in DNS requests that could allow an attacker to poison the DNS cache or spoof DNS resolving. Siemens has released updates for several affected products and recommends to update [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-201384.txt ∗∗∗ SSA-248289 V1.0: Denial-of-Service Vulnerabilities in the IPv6 Stack of Nucleus Products ∗∗∗ --------------------------------------------- The IPv6 stack of affected products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a denial-of-service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-248289.txt ∗∗∗ SSA-292794 V1.0: Multiple Denial-of-Service Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Server fixes two Denial-of-Service vulnerabilities in the underlying third-party XML parser. Siemens has released updates for the affected product and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-292794.txt ∗∗∗ SSA-497656 V1.0: Multiple NTP Vulnerabilities in TIM 4R-IE Devices ∗∗∗ --------------------------------------------- There are multiple vulnerabilities in the underlying NTP component of the affected TIM 4R-IE. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-497656.txt ∗∗∗ SSA-574442 V1.0: Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge to fix multiple vulnerabilities that could be triggered when the application reads files in different file formats (PAR, DFT extensions). If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-574442.txt ∗∗∗ SSA-669158 V1.0: DNS Client Vulnerabilities in SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669158.txt ∗∗∗ SSA-705111 V1.0: Vulnerabilities (NAME:WRECK) in DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a denial-of-service condition. Siemens has released updates for several --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-705111.txt ∗∗∗ SSA-761844 V1.0: Multiple Vulnerabilities in Control Center Server (CCS) ∗∗∗ --------------------------------------------- The advisory informs about multiple vulnerabilities in the Central Control Server (CCS) application, as initially reported in SSA-761617 on 2019-12-10 and SSA-844761 on 2020-03-10. The vulnerabilities involve authentication bypass (CVE-2019-18337, CVE-2019-18341), path traversal (CVE-2019-18338, CVE-2019-19290), information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291), privilege escalation (CVE-2019-18342), SQL injection (CVE-2019-19292), cross-site scripting [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt ∗∗∗ SSA-788287 V1.0: Disclosure of Private Data ∗∗∗ --------------------------------------------- Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-788287.txt ∗∗∗ SSA-853866 V1.0: User Credentials Disclosure Vulnerability in Siveillance Video Open Network Bridge (ONVIF) ∗∗∗ --------------------------------------------- Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. Siemens recommends to apply the hotfixes at the earliest opportunity. See also the chapter Additional Information, how to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-853866.txt ∗∗∗ SSA-983300 V1.0: Vulnerabilities in LOGO! Soft Comfort ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the LOGO! Soft Comfort software. These could allow an attacker to take over a system with the affected software installed. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-983300.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2021
by Daily end-of-shift report 12 Apr '21

12 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-04-2021 18:00 − Montag 12-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Top 10 Secrets of Admin Users ∗∗∗ --------------------------------------------- Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role. --------------------------------------------- https://www.beyondtrust.com/blog/entry/the-top-10-secrets-of-admin-users ∗∗∗ Pulse Secure VPN users cant login due to expired certificate ∗∗∗ --------------------------------------------- Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-… ∗∗∗ Microsoft warnt vor Banking-Trojanern ∗∗∗ --------------------------------------------- Eine neue Angriffsmethode von Banking-Trojanern beunruhigt Microsoft. IcedID, auch bekannt als BokBot, ist ein modularer Banking-Trojaner, der es auf die Finanzdaten der Anwender abgesehen hat und als Dropper für andere Malware fungieren kann. --------------------------------------------- https://www.zdnet.de/88394286/microsoft-warnt-vor-banking-trojanern/ ∗∗∗ Messenger-Dienst: Angreifer können Whatsapp-Nutzer aus dem Dienst aussperren ∗∗∗ --------------------------------------------- Durch den massenhaften Versuch, eine Telefonnummer bei Whatsapp zu registrieren, könnte diese letztlich von dem Dienst ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/messenger-dienst-angreifer-koennen-whatsapp-nutze… ∗∗∗ APKPure: Schadcode in App des alternativen Android-Stores entdeckt ∗∗∗ --------------------------------------------- Wer Android-Anwendungen über APKPure bezieht und dazu die gleichnamige App verwendet, sollte jetzt updaten: Forscher fanden Schadcode in der vorherigen Version. --------------------------------------------- https://heise.de/-6011340 ∗∗∗ Zahlreiche Probleme auf all4you-fashion.com ∗∗∗ --------------------------------------------- Immer häufiger beschäftigen die Watchlist Internet problematische Dropshipping-Angebote. Sie richten sich an österreichische und deutsche KonsumentInnen, halten dabei aber rechtliche Vorgaben nicht ein. Wer beispielsweise auf all4you-fashion.com bestellt, soll trotz „garantierten 30-tägigen Rückgaberechts“ Bearbeitungsgebühren für den Rücktritt bezahlen. Rechtlich muss ein solcher Widerruf aber kostenlos möglich sein. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-probleme-auf-all4you-fash… ∗∗∗ Schadsoftware infiziert halbe Million Huawei-Smartphones über offizielle App Gallery ∗∗∗ --------------------------------------------- Joker Malware war in mehreren Programmen versteckt - SMS-Betrug seit 2017 in immer neuen Formen --------------------------------------------- https://www.derstandard.at/story/2000125753278/schadsoftware-infiziert-halb… ∗∗∗ Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th) ∗∗∗ --------------------------------------------- Over the past several years I have used multiple pre-built sensors using readily available ISO images (rockNSM, SO, OPNSense, etc) but what I was really looking for was just a sensor to parse traffic (i.e Zeek) and IDS alerts (Suricata) to ELK. --------------------------------------------- https://isc.sans.edu/diary/rss/27296 ∗∗∗ How ransomware gangs are connected, sharing resources and tactics ∗∗∗ --------------------------------------------- New research by Analyst1 sheds light on the cooperation between some of the ransomware gangs dominating the cybersecurity news. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-c… ∗∗∗ Recording: Analyzing Android Malware — >From triage to reverse-engineering ∗∗∗ --------------------------------------------- Its easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/recording-analyzing-android-malw… ∗∗∗ Emotet Command and Control Case Study ∗∗∗ --------------------------------------------- We provide a step-by-step technical analysis of Emotet command and control, based on observations from before Emotet threat actors were disrupted. --------------------------------------------- https://unit42.paloaltonetworks.com/emotet-command-and-control/ ∗∗∗ Criminals spread malware using website contact forms with Google URLs ∗∗∗ --------------------------------------------- Crooks are using social engineering to exploit workers efforts to do their jobs. --------------------------------------------- https://www.zdnet.com/article/criminals-spread-malware-using-website-contac… ∗∗∗ Critical security alert: If you havent patched this old VPN vulnerability, assume your network is compromised ∗∗∗ --------------------------------------------- Hundreds of organisations that havent applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns. --------------------------------------------- https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched… ===================== = Vulnerabilities = ===================== ∗∗∗ Tripwire Patch Priority Index for March 2021 ∗∗∗ --------------------------------------------- Tripwire’s March 2021 Patch Priority Index (PPI) brings together important vulnerabilities from SaltStack, VWware, BIG-IP and Microsoft. First on the patch priority list this month are patches for vulnerabilities in Microsoft Exchange (CVE-2021-27065, CVE-2021-26855), SaltStack (CVE-2021-25282, CVE-2021-25281), BIG-IP (CVE-2021-22986) and VMware vCenter (CVE-2021-21972). Exploits for these vulnerabilities have been recently added to the Metasploit Exploit [...] --------------------------------------------- https://www.tripwire.com/state-of-security/vert/tripwire-patch-priority-ind… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/852339/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2021
by Daily end-of-shift report 09 Apr '21

09 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-04-2021 18:00 − Freitag 09-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Facebook-Leak: So könnten die Daten abhanden gekommen sein ∗∗∗ --------------------------------------------- Facebook und Linkedin bestreiten, dass es einen Einbruch gab. Andererseits enthalten die Leaks etwa Telefonnumern, die nicht öffentlich einsehbar sein sollten. --------------------------------------------- https://heise.de/-6009896 ∗∗∗ Gehackt: Windows, Ubuntu, Exchange, Teams, Zoom, Chrome, Safari und Edge ∗∗∗ --------------------------------------------- Für Prämien von insgesamt über 1 Million US-Dollar demonstrierten Hacker beim Pwn2Own 2021 erneut Sicherheitslücken in wichtigen IT-Produkten. --------------------------------------------- https://heise.de/-6010171 ∗∗∗ Sony bestätigt PS5-Betrug durch Fake-Shop "playstation-sony.eu" ∗∗∗ --------------------------------------------- Der aufwendig gestaltete Online-Shop gehört nicht zum Sony-Konzern. Analysen deuten auf ein großes Betrugs-Netzwerk hin. Spuren führen in die Ukraine. --------------------------------------------- https://heise.de/-6009907 ∗∗∗ Cisco: Keine Patches mehr für angreifbare SoHo-Router ∗∗∗ --------------------------------------------- Weil die Produkte nicht mehr unterstützt werden, will Cisco keine Fixes bereit stellen. Die Kunden sollen neuere Modelle kaufen. --------------------------------------------- https://heise.de/-6010387 ∗∗∗ Trojan detected in APKPure Android app store client software ∗∗∗ --------------------------------------------- Doctor Web specialists have discovered a malicious functionality in APKPure - an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission. The APKPure is one of the oldest and the most popular third-party games and software catalogs for the Android OS. --------------------------------------------- https://news.drweb.com/show/?i=14188&lng=en&c=9 ∗∗∗ IcedID Banking Trojan Surges: The New Emotet? ∗∗∗ --------------------------------------------- A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting its filling the Emotet void. --------------------------------------------- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ ∗∗∗ Threat matrix for storage services ∗∗∗ --------------------------------------------- Storage services are one of the most popular services in the cloud. In this blog, we outline potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment. --------------------------------------------- https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storag… ∗∗∗ [SANS ISC] No Python Interpreter? This Simple RAT Installs Its Own Copy ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "No Python Interpreter? This Simple RAT Installs Its Own Copy": For a while, I’m keeping an eye on malicious Python code targeting Windows environments. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. --------------------------------------------- https://blog.rootshell.be/2021/04/09/sans-isc-no-python-interpreter-this-si… ∗∗∗ Detecting Exposed Cobalt Strike DNS Redirectors ∗∗∗ --------------------------------------------- This research will focus on some of the active detections that can be used to fingerprint exposed Cobalt Strike servers that are using DNS as a communication channel. Although the research approach will be a bit different, the outcome will be similar to what JARM did for HTTP/HTTPs restricted to the scope of Cobalt Strike. --------------------------------------------- https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirect… ∗∗∗ Sysrv Botnet Expands and Gains Persistence ∗∗∗ --------------------------------------------- On March 4, 2021, Juniper Threat Labs identified a surge of activity of the Sysrv botnet. The botnet spread itself into Windows and Linux systems by exploiting multiple vulnerabilities, which we will cover in this blog. The threat actor’s objective is to install a Monero cryptominer. The attack remains active. Here’s what we’ve seen so far. --------------------------------------------- https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-ga… ∗∗∗ Cryptomining containers caught coining cryptocurrency covertly ∗∗∗ --------------------------------------------- Research has uncovered 30 compromised images in 10 different Docker Hub accounts, representing over 20 million pulls. --------------------------------------------- https://blog.malwarebytes.com/web-threats/2021/04/cryptomining-containers-c… ∗∗∗ A deep dive into Saint Bot, a new downloader ∗∗∗ --------------------------------------------- Saint Bot is a downloader that has been used to drop stealers. We take a deep look at it and its accompanying panel. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-sain… ∗∗∗ Vorsicht vor Kreditbetrug auf Facebook! ∗∗∗ --------------------------------------------- Die Auswirkungen der Corona-Krise sorgen immer noch dafür, dass viele Menschen von Finanzhilfen abhängig sind. Kriminelle nutzen dies aus und bieten auf Facebook angebliche Kredite und Darlehen an. Durch Kommentare und Privatnachrichten versuchen die BetrügerInnen das Vertrauen der Opfer zu gewinnen. Die Kredite werden jedoch niemals ausgezahlt, stattdessen sollen die Opfer Vorschusszahlungen leisten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kreditbetrug-auf-facebo… ∗∗∗ Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments ∗∗∗ --------------------------------------------- Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary - a Splunk-based dashboard - facilitates analysis of Sparrow data [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/08/using-aviary-to-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities Patched in WP Page Builder ∗∗∗ --------------------------------------------- On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-b… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lib3mf, php-pear, and python-django), Fedora (perl-Net-Netmask), openSUSE (flatpak, libostree, xdg-desktop-portal,, fwupd, fwupdate, and hostapd), Oracle (kernel, libldb, nettle, and squid), Red Hat (nettle), and SUSE (fwupdate, tpm2-tss-engine, and umoci). --------------------------------------------- https://lwn.net/Articles/852110/ ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Integer Underflow vulnerability in the FATEK Automation WinProladder programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-098-01 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0366 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0364 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0362 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2021
by Daily end-of-shift report 08 Apr '21

08 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-04-2021 18:00 − Donnerstag 08-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor täuschend echtem Fake-Shop, der PS5 verkauft ∗∗∗ --------------------------------------------- Der Online-Store scheint auf den ersten Blick seriös. Dahinter verstecken sich aber Betrüger. --------------------------------------------- https://futurezone.at/games/warnung-vor-taeuschend-echtem-fake-shop-der-ps5… ∗∗∗ Hackerangriffe auf Logistikunternehmen ∗∗∗ --------------------------------------------- ESET hat herausgefunden, dass die Lazarus-Gruppe Logistikunternehmen gezielt angreift. Das ist heikel, denn Ausfälle in der weltweiten Frachtlogistik können gravierende Folgen haben. --------------------------------------------- https://www.zdnet.de/88394254/hackerangriffe-auf-logistikunternehmen/ ∗∗∗ How to Know If You Are Under DDoS Attack ∗∗∗ --------------------------------------------- Nowadays, the term DDoS probably raises the heart rate of most webmasters. Though many don’t know exactly what a DDoS attack is, they do know the effect: an extremely sluggish or shut-down website. In this article, we’ll focus on how to know if your website is under attack and how to protect it. --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-know-if-you-are-under-a-ddos-attack.… ∗∗∗ [SANS ISC] Simple Powershell Ransomware Creating a 7Z Archive of your Files ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Simple Powershell Ransomware Creating a 7Z Archive of your Files“: If some ransomware families are based on PE files with complex features, it’s easy to write quick-and-dirty ransomware in other languages like Powershell. I found this sample while hunting. I’m pretty confident that this [...] --------------------------------------------- https://blog.rootshell.be/2021/04/08/sans-isc-simple-powershell-ransomware-… ∗∗∗ Vulnerability in Fortigate VPN servers is exploited in Cring ransomware attacks ∗∗∗ --------------------------------------------- In Q1 2021, threat actors conducted a series of attacks using the Cring ransomware. These attacks were mentioned in a Swisscom CSIRT tweet, but it remained unclear how the ransomware infects an organization's network. An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in Fortigate VPN servers. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigat… ∗∗∗ Update on git.php.net incident ∗∗∗ --------------------------------------------- Hi everyone, I would like to provide an update regarding the git.php.net security incident. To briefly summarize the most important information: - We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked. - master.php.net has been migrated to a new system main.php.net. - All php.net passwords have been reset. Go to https://main.php.net/forgot.php to set a new password. - git.php.net and svn.php.net are both read-only now, but will remain available for the time being. The following is a more detailed explanation of what happened and which actions were taken. --------------------------------------------- https://externals.io/message/113981 ∗∗∗ Office 365 phishing campaign uses publicly hosted JavaScript code ∗∗∗ --------------------------------------------- A new phishing campaign targeting Office 365 users cleverly tries to bypass email security protections by combining chunks of HTML code delivered via publicly hosted JavaScript code. The phishing email and page The subject of the phishing email says "price revision" and it contains no body - just an attachment (hercus-Investment 547183-xlsx.Html) that, at first glance, looks like an Excel document, but is actually an HTML document that contains encoded text pointing to two [...] --------------------------------------------- https://www.helpnetsecurity.com/2021/04/08/office-365-phishing-javascript/ ∗∗∗ Zoom zero-day discovery makes calls safer, hackers $200,000 richer ∗∗∗ --------------------------------------------- White hat hackers have demonstrated a Remote Code Execution attack against Zoom at the Pwn2Own event. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zer… ∗∗∗ Library Dependencies and the Open Source Supply Chain Nightmare ∗∗∗ --------------------------------------------- It’s a bigger problem than is immediately apparent, and has the potential for hacks as big as Equifax and as widespread as SolarWinds. --------------------------------------------- https://www.securityweek.com/library-dependencies-and-open-source-supply-ch… ∗∗∗ appleiphoneunlock.uk: Unseriöse Praktiken beim Entfernen der iCloud-Aktivierungssperre! ∗∗∗ --------------------------------------------- Sie haben ein gebrauchtes iPhone gekauft und erst im Nachhinein festgestellt, dass Sie es mit Ihrer iCloud-ID gar nicht nutzen können? Die Lösung: Die iCloud-Aktivierungssperre muss freigeschalten werden. Aber Achtung: Unseriöse Seiten bieten solche Entsperrungsdienste an. So zum Beispiel appleiphoneunlock.uk. KonsumentInnen berichten, dass die Angaben beim Bestellprozess irreführend sind und immer wieder weitere Kosten anfallen. --------------------------------------------- https://www.watchlist-internet.at/news/appleiphoneunlockuk-unserioese-prakt… ∗∗∗ Weiter fake Willhaben-SMS zu angeblicher PayLivery-Zahlung ∗∗∗ --------------------------------------------- Zahlreiche KonsumentInnen wenden sich momentan an die Watchlist Internet, da sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Die Nachricht der Kriminellen täuscht eine Zahlung vor und leitet auf gefälschte Willhaben-Seiten weiter. Die SMS müssen ignoriert werden, ansonsten droht ein Geld- und Datenverlust! --------------------------------------------- https://www.watchlist-internet.at/news/weiter-fake-willhaben-sms-zu-angebli… ∗∗∗ GamerInnen aufgepasst: So versuchen Kriminelle Ihren Steam-Account zu klauen! ∗∗∗ --------------------------------------------- Mit mehr als einer Milliarde aktiven NutzerInnen und mit über 30.000 Spielen ist Steam die größte Gaming-Plattform. Kein Wunder, dass die Plattform auch ein beliebtes Ziel für BetrügerInnen ist. Immer wieder geben sich Kriminelle als Steam-MitarbeiterInnen aus, um an die Accounts der SpielerInnen zu kommen. Wir zeigen Ihnen wie die Masche funktioniert und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/gamerinnen-aufgepasst-so-versuchen-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Azure Functions Weakness Allows Privilege Escalation ∗∗∗ --------------------------------------------- Microsofts cloud-container technology allows attackers to directly write to files, researchers said. --------------------------------------------- https://threatpost.com/azure-functions-privilege-escalation/165307/ ∗∗∗ Cisco: Wichtige Updates beseitigen aus der Ferne attackierbare Sicherheitslücken ∗∗∗ --------------------------------------------- Die ersten Cisco-Updates nach den Feiertagen zielen unter anderem auf die SD-WAN vManage Software und Small Business RV Router. Zwei Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-6008277 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libldb, rpm, samba, and seamonkey), openSUSE (isync), Oracle (kernel), Red Hat (openssl and squid), SUSE (ceph, flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk, fwupd, fwupdate, and openexr), and Ubuntu (curl, linux-lts-trusty, and lxml). --------------------------------------------- https://lwn.net/Articles/851956/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0361 ∗∗∗ ClamAV: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0358 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2021
by Daily end-of-shift report 07 Apr '21

07 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-04-2021 18:00 − Mittwoch 07-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Windows XP makes ransomware gangs work harder for their money ∗∗∗ --------------------------------------------- A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-xp-makes-ransomware-… ∗∗∗ Top Cybercriminal Gangs Are Using EtterSilent Maldoc Builder ∗∗∗ --------------------------------------------- A malicious document builder named EtterSilent is becoming popular amongst cybercriminals as the developers keep improving it in order to avoid being detected by security solutions. --------------------------------------------- https://heimdalsecurity.com/blog/top-cybercriminal-gangs-are-using-ettersil… ∗∗∗ Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th) ∗∗∗ --------------------------------------------- Couple of weeks ago, my phishing/spam trap caught an interesting e-mail carrying what turned out to be a sample of the Lokibot Infostealer. --------------------------------------------- https://isc.sans.edu/diary/rss/27282 ∗∗∗ WiFi IDS and Private MAC Addresses, (Wed, Apr 7th) ∗∗∗ --------------------------------------------- Nzyme does focus on WiFi-specific attacks, so it does not care about payload but inspects the 802.11 headers that escape traditional, wired IDSs. --------------------------------------------- https://isc.sans.edu/diary/rss/27288 ∗∗∗ New article: Dissecting the design and vulnerabilities in AZORult C&C panels ∗∗∗ --------------------------------------------- In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his teams findings related to the C&C design and some security issues they identified. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-dissecting-design-an… ∗∗∗ Aurora campaign: Attacking Azerbaijan using multiple RATs ∗∗∗ --------------------------------------------- We identified a new Python-based RAT targeting Azerbaijan from the same threat actor we profiled a month ago. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attac… ∗∗∗ Fake Trezor app steals more that $1 million worth of crypto coins ∗∗∗ --------------------------------------------- Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have lost fortunes after being duped by a phishing app. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/fake-trezor-app-st… ∗∗∗ White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021 ∗∗∗ --------------------------------------------- On the first day of the Pwn2Own 2021 hacking competition, participants earned more than half a million dollars, including $440,000 for demonstrating exploits against Microsoft products. --------------------------------------------- https://www.securityweek.com/white-hats-earn-440000-hacking-microsoft-produ… ∗∗∗ New wormable Android malware poses as Netflix to hijack WhatsApp sessions ∗∗∗ --------------------------------------------- Users are lured in with the promise of a free premium subscription. --------------------------------------------- https://www.zdnet.com/article/new-android-malware-poses-as-netflix-to-hijac… ∗∗∗ Flexible taxonomies and new software for the tag2domain project ∗∗∗ --------------------------------------------- Domain Names are the center piece of locating services on the internet and they can be used for a variety of purposes and services. Understanding the type of services a Domain Name offers is one of the key aspects of Internet Security. --------------------------------------------- https://cert.at/en/blog/2021/4/flexible-taxonomies-and-new-software-for-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Notenmanipulation möglich: Große Schwachstelle in Lern-Software Moodle ∗∗∗ --------------------------------------------- Die freie Lernplattform Moodle wies über Jahre eine Sicherheitslücke auf, mit der Schüler unter anderem ihre Noten manipulieren konnten. --------------------------------------------- https://www.golem.de/news/notenmanipulation-moeglich-grosse-schwachstelle-i… ∗∗∗ Upload beliebiger Dateien und Umgehung von .htaccess Regeln in Monospace Directus Headless CMS ∗∗∗ --------------------------------------------- Monospace Directus CMS Docker Images, welche Apache als Webserver mit lokalem Storage nutzen, sind von einer Schwachstelle betroffen, über die jeder authentifizierte Nutzer beliebige Dateien und Ordner hochladen kann. In unveränderter Standard-Konfiguration ist Directus somit anfällig für Remote Code Execution und Veränderung von Webserver .htaccess Regeln. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload… ∗∗∗ SAP-Produkte: CISA warnt vor Gefahren durch verschleppte Sicherheitsupdates ∗∗∗ --------------------------------------------- Die CISA und Forscher von Onapsis warnen vor Angriffsmöglichkeiten auf SAP-Produkte über sechs ältere Schwachstellen. Updates sind teils schon lange verfügbar. --------------------------------------------- https://heise.de/-6007209 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (chromium), Oracle (flatpak and kernel), Red Hat (virt:8.3 and virt-devel:8.3), and SUSE (gssproxy and xen). --------------------------------------------- https://lwn.net/Articles/851868/ ∗∗∗ Hitachi ABB Power Grids Multiple Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in some Hitachi ABB Power Grids products using IED 61850 interfaces. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-096-01 ∗∗∗ Security Advisory - Pointer Double Free Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2021
by Daily end-of-shift report 06 Apr '21

06 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-04-2021 18:00 − Dienstag 06-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malicious cheats for Call of Duty: Warzone are circulating online ∗∗∗ --------------------------------------------- The cheat is fake, but the malware it installs is the real thing. --------------------------------------------- https://arstechnica.com/?p=1754269 ∗∗∗ Telefonnummer, E-Mail: Bin ich im Facebook-Leak? ∗∗∗ --------------------------------------------- Auf verschiedenen Webseiten können Nutzer prüfen, ob sie zu den 533 Millionen Betroffenen des Facebook-Datenlecks gehören. --------------------------------------------- https://www.golem.de/news/telefonnummer-e-mail-bin-ich-im-facebook-leak-210… ∗∗∗ Kryptomining: Coinhive-Skripte warnen vor sich selbst ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Troy Hunt hat die Domains des Kryptominers Coinhive bekommen. Mit ihnen macht er auf Sicherheitsprobleme aufmerksam. --------------------------------------------- https://www.golem.de/news/kryptomining-coinhive-skripte-warnen-vor-sich-sel… ∗∗∗ The leap of a Cycldek-related threat actor ∗∗∗ --------------------------------------------- The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector. --------------------------------------------- https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/ ∗∗∗ From PowerShell to Payload: An Analysis of Weaponized Malware ∗∗∗ --------------------------------------------- John Hammond, security researcher with Huntress, takes a deep-dive into a stagers technical and coding aspects. --------------------------------------------- https://threatpost.com/powershell-payload-analysis-malware/165188/ ∗∗∗ YARA and CyberChef: ZIP, (Sun, Apr 4th) ∗∗∗ --------------------------------------------- When processing the result of "unzip" in CyberChef, for example with YARA rules, all files contained inside the ZIP file, are concatenated together. --------------------------------------------- https://isc.sans.edu/diary/rss/27276 ∗∗∗ Gigaset: Malware-Befall von Android-Geräten des Herstellers gibt Rätsel auf ∗∗∗ --------------------------------------------- Besitzer von Android-Smartphones von Gigaset kämpfen seit einigen Tagen mit Malware. Einiges deutet auf einen kompromittierten Update-Server als Quelle hin. --------------------------------------------- https://heise.de/-6006464 ∗∗∗ Man in the Terminal ∗∗∗ --------------------------------------------- By using path hijacking and modification on Unix-like machines, we can achieve pseudo-keylogging functionality by prioritizing malicious middleware binaries to record and transfer standard input/output streams. --------------------------------------------- https://posts.specterops.io/man-in-the-terminal-65476e6165b9 ∗∗∗ 2020 Phishing Trends With PDF Files ∗∗∗ --------------------------------------------- We analyzed recent phishing trends with PDF files and noted a dramatic increase in the practice, as well as five approaches popular with attackers. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/ ∗∗∗ SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications ∗∗∗ --------------------------------------------- New research also reveals that SAP vulnerabilities, on average, are weaponized in less than 72 hours. --------------------------------------------- https://www.zdnet.com/article/sap-issues-advisory-on-vulnerable-application… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Out-of-bounds write vulnerabilities in Accusoft ImageGear ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a [...] --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-accusoft-image-ge… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java, php-nette, and smarty3), Fedora (curl, openssl, spamassassin, and webkit2gtk3), Mageia (ant, batik, kernel, kernel-linus, nodejs-chownr, nodejs-yargs-parser, python-bottle, and ruby-em-http-request), openSUSE (curl and OpenIPMI), and Red Hat (openssl). --------------------------------------------- https://lwn.net/Articles/851640/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, netty, python-bleach, and python3.5), Fedora (libmediainfo, libzen, and mediainfo), Mageia (openssl), openSUSE (chromium), Red Hat (389-ds:1.4, flatpak, kernel, kernel-rt, kpatch-patch, libldb, and virt:rhel and virt-devel:rhel), and Ubuntu (python-django and ruby-rack). --------------------------------------------- https://lwn.net/Articles/851772/ ∗∗∗ Android Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0344 ∗∗∗ QTS 4.3.6.1620 Build 20210322 ∗∗∗ --------------------------------------------- Security Updates Fixed a command injection vulnerability (CVE-2020-2509). Fixed a vulnerability in Apache HTTP server (CVE-2020-9490). --------------------------------------------- https://www.qnap.com/en/release-notes/qts/4.3.6.1620/20210322 ∗∗∗ Shodan Verified Vulns 2021-04-01 ∗∗∗ --------------------------------------------- Der März verging Dank (?) den Exchange-Schachstellen wie im Flug und wir werfen entsprechend wieder einen Blick auf jene Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-04-01 ergab sich Folgendes: Es ist also passiert! Mit einem Schlag sind die TLS-Schwachstellen (fast) vom Thron gestoßen – die Microsoft Exchange Lücken greifen nach der Spitze. --------------------------------------------- https://cert.at/de/aktuelles/2021/4/shodan-verified-vulns-2021-04-01 ∗∗∗ April 5, 2021 TNS-2021-07 [R1] Nessus 8.14.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-07 ∗∗∗ Grafana vulnerability CVE-2019-15043 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00843201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2021
by Daily end-of-shift report 02 Apr '21

02 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-04-2021 18:00 − Freitag 02-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 5 steps to respond to a data breach ∗∗∗ --------------------------------------------- This blog was written by an independent guest blogger. You’ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/5-steps-to-respond-… ∗∗∗ VMware fixes authentication bypass in data center security software ∗∗∗ --------------------------------------------- VMware has addressed a critical vulnerability in the VMware Carbon Black Cloud Workload appliance that could allow attackers to bypass authentication after exploiting vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-authentication-… ∗∗∗ New ‘BazarCall’ Malware Uses Call Centers to Trick its Victims into Infecting Themselves ∗∗∗ --------------------------------------------- Today’s hackers have never been more old-fashioned – they are currently using a telephone call as a “brand new “technique to infect their victim’s devices. --------------------------------------------- https://heimdalsecurity.com/blog/bazarcall-malware-uses-call-centers-to-tri… ∗∗∗ Browser lockers: extortion disguised as a fine ∗∗∗ --------------------------------------------- In this article we discuss browser lockers that mimic law enforcement websites. --------------------------------------------- https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/ ∗∗∗ Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting ∗∗∗ --------------------------------------------- A probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking enables us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages. --------------------------------------------- https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-… ∗∗∗ [SANS ISC] C2 Activity: Sandboxes or Real Victims? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “C2 Activity: Sandboxes or Real Victims?“: In my last diary, I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/02/sans-isc-c2-activity-sandboxes-or-real… ∗∗∗ A “txt file” can steal all your secrets ∗∗∗ --------------------------------------------- Recently, 360 Security Center’s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight. --------------------------------------------- https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/ ∗∗∗ Unpatched RCE Flaws Affect Tens of Thousands of QNAP SOHO NAS Devices ∗∗∗ --------------------------------------------- A pair of unpatched vulnerabilities in QNAP small office/home office (SOHO) network attached storage (NAS) devices could allow attackers to execute code remotely, according to a warning from security researchers at SAM Seamless Network. --------------------------------------------- https://www.securityweek.com/unpatched-rce-flaws-affect-tens-thousands-qnap… ∗∗∗ Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms ∗∗∗ --------------------------------------------- Industrial automation giant Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product. --------------------------------------------- https://www.securityweek.com/nine-critical-flaws-factorytalk-product-pose-s… ∗∗∗ Financial Sector Remains Most Targeted by Threat Actors: IBM ∗∗∗ --------------------------------------------- Organizations in the financial and insurance sectors were the most targeted by threat actors in 2020, continuing a trend that was first observed roughly five years ago, IBM Security reports. --------------------------------------------- https://www.securityweek.com/financial-sector-remains-most-targeted-threat-… ∗∗∗ Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool ∗∗∗ --------------------------------------------- We review samples of recent Hancitor infections, share relatively new indicators and provide examples of an associated network ping tool. --------------------------------------------- https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/ ∗∗∗ The best laid plans or lack thereof: Security decision-making of different stakeholder groups. (arXiv:2104.00284v1 [cs.CR]) ∗∗∗ --------------------------------------------- Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security [...] --------------------------------------------- http://arxiv.org/abs/2104.00284 ∗∗∗ FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-ad… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Jabber for Windows DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- Version: 1.2 Description: Added information about additional software fixes because of a regression that reintroduced this vulnerability in subsequent software versions. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) ∗∗∗ --------------------------------------------- # Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 https://github.com/Al1ex/CVE-2021-22986 --------------------------------------------- https://www.exploit-db.com/exploits/49738 ∗∗∗ K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- Indicators of compromise Important: F5 last updated this section on March 26, 2021 at 5:45 PM Pacific time. The information in this section is based on evidence that F5 has collected and believes to be reliable indicators of compromise. It is important to note that exploited systems may show different indicators, and a skilled attacker may be able to remove traces of their work. It is impossible to prove a device is not compromised; if you have any uncertainty, consider the device to be compromised. --------------------------------------------- https://support.f5.com/csp/article/K03009991 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr). --------------------------------------------- https://lwn.net/Articles/851511/ ∗∗∗ March 31, 2021 TNS-2021-05 [R1] Nessus 8.13.2 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2021
by Daily end-of-shift report 01 Apr '21

01 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-03-2021 18:00 − Donnerstag 01-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Datenleck bei Ubiquiti war deutlich umfassender ∗∗∗ --------------------------------------------- Laut einem Bericht konnten die Angreifer auf Quellcode und Credentials von Ubiquiti zugreifen. Der Netzwerkgerätehersteller widerspricht nicht. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-datenleck-bei-ubiquiti-war-deut… ∗∗∗ Who Contains the Containers? ∗∗∗ --------------------------------------------- This is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights into what to look for if you’re researching this area. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html ∗∗∗ Changes in Sinkhole and Honeypot Report Types and Formats ∗∗∗ --------------------------------------------- Over the years, Shadowserver’s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01. --------------------------------------------- https://www.shadowserver.org/news/changes-in-sinkhole-and-honeypot-report-t… ∗∗∗ The Importance of Website Backups ∗∗∗ --------------------------------------------- Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into the category of precious digital assets --------------------------------------------- https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html ∗∗∗ Back in a Bit: Attacker Use of the Windows Background IntelligentTransfer Service ∗∗∗ --------------------------------------------- Microsoft introduced the Background Intelligent Transfer Service (BITS) with Windows XP to simplify and coordinate downloading and uploading large files. Applications and system components, most notably Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal user disruption. [...] As is the case with many technologies, BITS can be used both by legitimate applications and by attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-window… ∗∗∗ DoS-Lücke in Virtualisierungsplattform Citrix Hypervisor geschlossen ∗∗∗ --------------------------------------------- Abgesicherte Versionen von Citrix Hypervisor verhindern Zugriffe auf Host-Systeme. --------------------------------------------- https://heise.de/-6003757 ∗∗∗ Report: USB threats to ICS systems have nearly doubled ∗∗∗ --------------------------------------------- The latest Honeywell USB Threat Report 2020 indicates that the number of threats specifically targeting Operational Technology systems has nearly doubled from 16% to 28%, while the number of threats capable of disrupting those systems rose from 26% to 59% over the same period. --------------------------------------------- https://www.tripwire.com/state-of-security/ics-security/report-usb-threats-… ∗∗∗ Digital Forensics vs. Anti-Digital Forensics: Techniques, Limitations and Recommendations. (arXiv:2103.17028v1 [cs.CR]) ∗∗∗ --------------------------------------------- The number of cyber attacks has increased tremendously in the last few years. This resulted into both human and financial losses at the individual and organization levels. Recently, cyber-criminals are leveraging new skills and capabilities by employing anti-forensics activities, techniques and tools to cover their tracks and evade any possible detection. --------------------------------------------- http://arxiv.org/abs/2103.17028 ∗∗∗ Is your dishwasher trying to kill you? ∗∗∗ --------------------------------------------- Does every device in your home really need to be connected to the internet? And could it be turned against you? --------------------------------------------- https://www.welivesecurity.com/2021/04/01/is-your-dishwasher-trying-kill-yo… ∗∗∗ CISA Releases Supplemental Direction on Emergency Directive for Microsoft Exchange Server Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued supplemental direction to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities providing additional forensic triage and server hardening, requirements for federal agencies. Specifically, this update directs federal departments and agencies to run newly developed tools - Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT - to investigate whether their Microsoft Exchange [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/cisa-releases-sup… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-399: (0Day) D-Link DIR-882 HNAP Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-882 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-399/ ∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗ --------------------------------------------- On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Fast Reload Vulnerabilities ∗∗∗ --------------------------------------------- Version: 1.1 Description: Added Catalyst 3650 switches as affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS). These patches resolve multiple vulnerabilities related to improper access control and incorrect permission assignment privilege escalation as well as insecure file permissions. --------------------------------------------- https://success.trendmicro.com/solution/000286019 ∗∗∗ VMSA-2021-0005 ∗∗∗ --------------------------------------------- VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0005.html ∗∗∗ VMSA-2021-0004.1 - VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983) ∗∗∗ --------------------------------------------- 2021-03-31: VMSA-2021-0004.1 - Updated advisory with information on vROps 7.0.0 workarounds. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0004.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/851381/ ∗∗∗ Rockwell Automation FactoryTalk AssetCentre ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, Deserialization of Untrusted Data, SQL Injection, and Improperly Restricted Functions vulnerabilities in Rockwell Automation FactoryTalk AssetCentre automation software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-091-01 ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331… ∗∗∗ Security Advisory - Arbitrary Memory Write Vulnerability in Huawei Smart Phone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331… ∗∗∗ March 31, 2021 TNS-2021-06 [R1] Tenable.sc 5.18.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-06 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0334 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2021
by Daily end-of-shift report 31 Mar '21

31 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-03-2021 18:00 − Mittwoch 31-03-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Financial Cyberthreats in 2020 ∗∗∗ --------------------------------------------- This research is a continuation of our annual financial threat reports providing an overview of the latest trends and key events across the financial threat landscape. The study covers the common phishing threats, along with Windows and Android-based financial malware. --------------------------------------------- https://securelist.com/financial-cyberthreats-in-2020/101638/ ∗∗∗ Ziggy Ransomware Gang Offers Refunds to Victims ∗∗∗ --------------------------------------------- Ziggy joins Fonix ransomware group and shuts down, with apologies to targets. --------------------------------------------- https://threatpost.com/ziggy-ransomware-gang-offers-refund-to-victims/16512… ∗∗∗ 3MinMax Series Topic Review - Apple Acquisition ∗∗∗ --------------------------------------------- Apple devices are an entirely different platform than Windows, and there are many different considerations when preparing to acquire an Apple machine. --------------------------------------------- https://www.sans.org/blog/3minmax-series-topic-review---apple-acquisition ∗∗∗ [SANS ISC] Quick Analysis of a Modular InfoStealer ∗∗∗ --------------------------------------------- This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. --------------------------------------------- https://blog.rootshell.be/2021/03/31/sans-isc-quick-analysis-of-a-modular-i… ∗∗∗ Whistleblower: Ubiquiti Breach “Catastrophic” ∗∗∗ --------------------------------------------- On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. --------------------------------------------- https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrop… ∗∗∗ The Often-Overlooked Element of a Hack: Endpoints ∗∗∗ --------------------------------------------- It is Vital to Maintain Granular Visibility and Control Over Access Points to Establish Resilience --------------------------------------------- https://www.securityweek.com/often-overlooked-element-hack-endpoints ∗∗∗ Vorsicht beim Fahrrad-Kauf: marti-bosom.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Mit den wärmer werdenden Temperaturen beginnt die Fahrrad-Saison. Für viele ist es die Zeit, um sich ein neues Fahrrad zu kaufen. Aufgrund der anhaltenden Corona-Krise passiert das immer öfter online. Hier gilt es jedoch vorsichtig zu sein, da es auch in diesem Bereich betrügerische Fake-Shops gibt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-fahrrad-kauf-marti-bos… ∗∗∗ Ransomware: Why were now facing a perfect storm ∗∗∗ --------------------------------------------- Normalising the act of paying a ransom to cyber criminals does nothing to protect anyone against ransomware, warns report. --------------------------------------------- https://www.zdnet.com/article/ransomware-why-were-now-facing-a-perfect-stor… ∗∗∗ Gaming mods, cheat engines are spreading Trojan malware and planting backdoors ∗∗∗ --------------------------------------------- Mods and cheat systems for games are being exploited to deploy information-stealing malware. --------------------------------------------- https://www.zdnet.com/article/gaming-tools-backdoored-cheat-engines-are-now… ∗∗∗ BLEKeeper: Response Time Behavior Based Man-In-The-Middle Attack Detection ∗∗∗ --------------------------------------------- Bluetooth Low Energy (BLE) has become one of the most popular wireless communication protocols and is used in billions of smart devices. Despite several security features, the hardware and software limitations of thesedevices makes them vulnerable to man-in-the-middle (MITM) attacks. --------------------------------------------- http://arxiv.org/abs/2103.16235 ===================== = Vulnerabilities = ===================== ∗∗∗ Fake jQuery files infect WordPress sites with malware ∗∗∗ --------------------------------------------- Researchers have spotted counterfeit versions of the jQuery Migrate plugin injected on dozens of websites which contains obfuscated code to load malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-jquery-files-infect-wor… ∗∗∗ Angreifer könnten Admin-Zugangsdaten von VMware vRealize kopieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Management-Software für Cloud-Umgebungen vRealize Operations. --------------------------------------------- https://heise.de/-6002805 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, ldb, leptonlib, and linux-4.19), Fedora (busybox), Gentoo (openssl, redis, salt, and sqlite), Mageia (firefox, fwupd, glib2.0, python-aiohttp, radare2, thunderbird, and zeromq), openSUSE (firefox), SUSE (ovmf, tomcat, and zabbix), and Ubuntu (curl, lxml, and pygments). --------------------------------------------- https://lwn.net/Articles/851269/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 89.0.4389.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/google-releases-s… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000286157 ∗∗∗ Multiple dnsmasq vulnerabilities CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98221124 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0333 ∗∗∗ Denial of Service in Rexroth ActiveMover using EtherNet/IP protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-282922.html ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ SYSS-2021-006: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-006-sql-injection-schwachstelle-… ∗∗∗ SYSS-2021-005: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-005-sql-injection-schwachstelle-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily