Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 07.06.2021
by Daily end-of-shift report 07 Jun '21

07 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-06-2021 18:00 − Montag 07-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer attackieren VMware vCenter Server ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer es auf eine kritische Lücke in vCenter Server abgesehen haben. --------------------------------------------- https://heise.de/-6063523 ∗∗∗ Exploit für kritische Lücke in Rocket.Chat veröffentlicht ∗∗∗ --------------------------------------------- Wer die im Mai geschlossene kritische Lücke in Rocket.Chat noch nicht gefixt hat, sollte das schleunigst nachholen. --------------------------------------------- https://heise.de/-6063795 ∗∗∗ Malware family naming hell is our own fault ∗∗∗ --------------------------------------------- EternalPetya has more than 10 different names. Many do not realize that CryptoLocker is long dead. These are not isolated cases but symptoms of a systemic problem: The way we name malware does not work. Why does it happen and how can we solve it? --------------------------------------------- https://www.gdatasoftware.com/blog/malware-family-naming-hell ∗∗∗ Gootkit: the cautious Trojan ∗∗∗ --------------------------------------------- Gootkit is complex multi-stage banking malware capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms. --------------------------------------------- https://securelist.com/gootkit-the-cautious-trojan/102731/ ∗∗∗ OSX/Hydromac ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Taha Karim of ConfiantIntel, dives into a new macOS adware specimen: Hydromac. --------------------------------------------- https://objective-see.com/blog/blog_0x65.html ∗∗∗ WordPress Redirect Hack via Test0.com/Default7.com ∗∗∗ --------------------------------------------- Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it’s some malicious resource, scam site or a commercial site that buys traffic from cyber criminals (e.g. counterfeit drugs or replica merchandise). Types of Malicious Redirects There are two major types of malicious redirects: server-side redirects and client-side redirects. --------------------------------------------- https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-defau… ∗∗∗ Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments ∗∗∗ --------------------------------------------- The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers. --------------------------------------------- https://unit42.paloaltonetworks.com/siloscape/ ∗∗∗ This phishing email is pushing password-stealing malware to Windows PCs ∗∗∗ --------------------------------------------- An old form of trojan malware has been updated with new abilities, warn cybersecurity researchers. --------------------------------------------- https://www.zdnet.com/article/this-phishing-email-is-pushing-password-steal… ∗∗∗ Hacking space: How to pwn a satellite ∗∗∗ --------------------------------------------- Hacking an orbiting satellite is not light years away - here’s how things can go wrong in outer space --------------------------------------------- https://www.welivesecurity.com/2021/06/07/hacking-space-how-pwn-satellite/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, python-django, ruby-nokogiri, and thunderbird), Fedora (dhcp, polkit, transfig, and wireshark), openSUSE (chromium, inn, kernel, redis, and umoci), Oracle (pki-core:10.6), Red Hat (libwebp, nginx:1.18, rh-nginx118-nginx, and thunderbird), SUSE (gstreamer-plugins-bad), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle). --------------------------------------------- https://lwn.net/Articles/858561/ ∗∗∗ Microsoft Edge: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0612 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0611 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0613 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-curl-libcurl-vulnerabilit… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect JRE in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Elastic Storage Server GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0, and earlier (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: IBM DataPower Gateway GUI permits use of GET ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-gui… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to Directory Traversal vulnerability (CVE-2021-20517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2021
by Daily end-of-shift report 04 Jun '21

04 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-06-2021 18:00 − Freitag 04-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Phishing-Mail von World4You im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit eine gefälschte World4You-Phishingmail an Webseiten-BetreiberInnnen. Darin heißt es, dass die registrierte Domain der EmpfängerInnen abläuft und daher verlängert werden muss. Gehen Sie nicht auf die Zahlungsforderung ein. Denn das Geld und Ihre Kreditkartendaten landen direkt in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-mail-von-world4you… ∗∗∗ Schlupflöcher für Schadcode in Videokonferenz-Software Cisco Webex geschlossen ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für mehrere Produkte wie Router und Webex veröffentlicht. --------------------------------------------- https://heise.de/-6062229 ∗∗∗ Email spoofing: how attackers impersonate legitimate senders ∗∗∗ --------------------------------------------- This article analyzes different ways of the spoofing email addresses through changing the From header, which provides information about the senders name and address. --------------------------------------------- https://securelist.com/email-spoofing-types/102703/ ∗∗∗ Exchange Servers Targeted by ‘Epsilon Red’ Malware ∗∗∗ --------------------------------------------- REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests. --------------------------------------------- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/ ∗∗∗ How to hack into 5500 accounts… just using “credential stuffing” ∗∗∗ --------------------------------------------- Passwords - dont just pay them lip service. --------------------------------------------- https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-… ∗∗∗ Russian Dolls VBS Obfuscation, (Fri, Jun 4th) ∗∗∗ --------------------------------------------- We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script called "presentation_37142.vbs" --------------------------------------------- https://isc.sans.edu/diary/rss/27494 ∗∗∗ Build, Hack, and Defend Azure Identity ∗∗∗ --------------------------------------------- An Introduction to PurpleCloud Hybrid + Identity Cyber Range --------------------------------------------- https://www.sans.org/blog/build-hack-defend-azure-identity?msc=rss ∗∗∗ Necro Python bot adds new exploits and Tezos mining to its bag of tricks ∗∗∗ --------------------------------------------- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of [...] --------------------------------------------- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks… ∗∗∗ Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Application and network performance management company NETSCOUT warned organizations this week that STUN servers have been increasingly abused for distributed denial-of-service (DDoS) attacks, and there are tens of thousands of servers that could be abused for such attacks by malicious actors. --------------------------------------------- https://www.securityweek.com/organizations-warned-stun-servers-increasingly… ∗∗∗ ESET Threat Report T1 2021 ∗∗∗ --------------------------------------------- A view of the T1 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts The post ESET Threat Report T1 2021 appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/ ∗∗∗ WebLogic RCE Leads to XMRig ∗∗∗ --------------------------------------------- This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing [...] --------------------------------------------- https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/ ∗∗∗ CISA Releases Best Practices for Mapping to MITRE ATT&CK® ∗∗∗ --------------------------------------------- As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework. CISA created this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE, which [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/02/cisa-releases-bes… ∗∗∗ FontPack: A dangerous update ∗∗∗ --------------------------------------------- Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates? --------------------------------------------- https://blog.group-ib.com/fontpack ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, dhclient, dhcp, firefox, keycloak, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, opera, packagekit, pam-u2f, postgresql, rabbitmq, redis, ruby-bundler, and zint), Debian (caribou, firefox-esr, imagemagick, and isc-dhcp), Fedora (mapserver, mingw-python-pillow, and python-pillow), openSUSE (chromium), Red Hat (firefox, glib2, pki-core:10.6, polkit, rh-ruby26-ruby, and rh-ruby27-ruby), SUSE [...] --------------------------------------------- https://lwn.net/Articles/858144/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lasso), Fedora (mingw-djvulibre, mingw-exiv2, python-lxml, and singularity), openSUSE (ceph, dhcp, inn, nginx, opera, polkit, upx, and xstream), Oracle (firefox, perl, and polkit), Scientific Linux (firefox), SUSE (avahi, csync2, djvulibre, libwebp, polkit, python-py, slurm, slurm_18_08, thunderbird, and umoci), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...] --------------------------------------------- https://lwn.net/Articles/858331/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and SQL Injection vulnerabilities in Advantech iView IoT device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Security Advisory - Race Condition Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2021
by Daily end-of-shift report 02 Jun '21

02 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-06-2021 18:00 − Mittwoch 02-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Producing a trustworthy x86-based Linux appliance ∗∗∗ --------------------------------------------- Lets say youre building some form of appliance on top of general purpose x86 hardware. You want to be able to verify the software its running hasnt been tampered with. Whats the best approach with existing technology? --------------------------------------------- https://mjg59.dreamwidth.org/57199.html ∗∗∗ Cobalt Strike, a penetration testing tool abused by criminals ∗∗∗ --------------------------------------------- Cobalt Strike is a pen-testing tool that often ends up in the hands of cybercriminals. Are we providing them with the tools to attack us? ... If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking. --------------------------------------------- https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-pe… ∗∗∗ Jugendliche im Visier von Online‑Betrügern: 5 gängige Tricks ∗∗∗ --------------------------------------------- Von gefälschten Designerprodukten bis hin zu verlockenden Jobangeboten – wir stellen fünf verbreitete Betrugsmethoden vor, mit denen Kriminelle es auf Geld und Daten von Teenagern abgesehen haben --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/06/01/jugendliche-im-visier-von… ∗∗∗ Webseiten-BetreiberInnen aufgepasst: TM Österreich versendet betrügerische Mail! ∗∗∗ --------------------------------------------- Webseiten-BetreiberInnen melden uns ein betrügerisches E-Mail der TM Österreich. Dort wird behauptet, dass jemand Ihre Domain mit einer anderen Endung registrieren möchte. TM Österreich bietet Ihnen an, diese zusätzliche Domain zu registrieren, um so Probleme wie Umsatzeinbußen oder Imageschäden zu vermeiden. Vorsicht: TM Österreich ist Fake. Nehmen Sie daher das Angebot auf keinen Fall an! --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ Shodan Verified Vulns 2021-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2021-06-01 boten unsere Shodan-Daten folgendes Bild der Schwachstellen in Österreich: Wie zu erwarten war, ist die Anzahl der verwundbaren Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) weiter zurückgegangen; laut unseren aktuellsten Scans ist die Zahl mittlerweile sogar unter 100. --------------------------------------------- https://cert.at/de/aktuelles/2021/6/shodan-verified-vulns-2021-06-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis ∗∗∗ --------------------------------------------- On February 3rd we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module... Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by scanning the modules in Vdoo’s product security platform, which contains a unique proprietary capability of detecting potential zero-days automatically. The new vulnerabilities werefixed by Realtek, following another responsible disclosure. --------------------------------------------- https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day/ ∗∗∗ Overview of F5 vulnerabilities (June 2021) ∗∗∗ --------------------------------------------- On June 1, 2021, F5 announced the following security issues. High CVEs * K08503505: BIG-IP Edge Client for Windows vulnerability CVE-2021-23022, CVSS score: 7.0 (High) * K33757590: BIG-IP Edge Client for Windows vulnerability CVE-2021-23023, CVSS score: 7.0 (High) Medium CVEs * K06024431: BIG-IQ vulnerability CVE-2021-23024, CVSS score: 6.5 (Medium) --------------------------------------------- https://support.f5.com/csp/article/K67501282 ∗∗∗ Critical 0-day in Fancy Product Designer Under Active Attack ∗∗∗ --------------------------------------------- On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites. ... Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected. --------------------------------------------- https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-desi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (dhcp), openSUSE (gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly and slurm), Oracle (glib2 and kernel), Red Hat (kernel, kernel-rt, perl, and tcpdump), Scientific Linux (glib2), SUSE (bind, dhcp, lz4, and shim), and Ubuntu (dnsmasq, lasso, and python-django). --------------------------------------------- https://lwn.net/Articles/857978/ ∗∗∗ Synology DiskStation Manager: Schwachstelle ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE-2021-29088 Ein lokaler Angreifer kann eine Schwachstellen in Synology DiskStation Manager ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0596 ∗∗∗ XSS vulnerability found in popular WYSIWYG website editor [Froala] ∗∗∗ --------------------------------------------- ...the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-found-in-popular-wysiwyg-we… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to Server-side Request Forgery and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HttpComponents and HttpCommons affect embedded WebSphere Application Server, which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection attack and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-152-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2021
by Daily end-of-shift report 01 Jun '21

01 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 31-05-2021 18:00 − Dienstag 01-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firefox 89 und ESR 78.11: Neue Browser-Versionen, neue Sicherheits-Updates ∗∗∗ --------------------------------------------- Das Mozilla-Team hat den frisch erschienenen Firefox-Versionen neben neuen Features auch Schwachstellen-Patches spendiert. --------------------------------------------- https://heise.de/-6059513 ∗∗∗ Kroatien Urlaub geplant? Nehmen Sie sich vor kostenpflichtigen Registrierungsseiten wie enter-croatia.com in Acht! ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen freuen sich darauf, endlich wieder nach Kroatien zu fahren. Durch die COVID-19-Pandemie gelten jedoch strengere Einreisebestimmungen, wie die Empfehlung einer kostenlosen Online-Registrierung. Anbieter wie die Visa Gate GmbH nutzen die Unsicherheit vieler TouristInnen aus und stellen kostenpflichtige Registrierungsseiten ins Netz. Wir empfehlen Ihnen, die (freiwillige) Online-Registrierung nicht über enter-croatia.com vorzunehmen! --------------------------------------------- https://www.watchlist-internet.at/news/kroatien-urlaub-geplant-nehmen-sie-s… ∗∗∗ Windows 10s package manager flooded with duplicate, malformed apps ∗∗∗ --------------------------------------------- Microsofts Windows 10 package manager Wingets GitHub has been flooded with duplicate apps and malformed manifest files raising concerns among developers with regards to the integrity of apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10s-package-manager-… ∗∗∗ Quick and dirty Python: nmap, (Mon, May 31st) ∗∗∗ --------------------------------------------- Continuing on from the "Quick and dirty Python: masscan" diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443. Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running. --------------------------------------------- https://isc.sans.edu/diary/rss/27480 ∗∗∗ Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st) ∗∗∗ --------------------------------------------- We recently identified a new Guildma/Astaroth campaign targeting South America, mainly Brazil, using a new variant of the malware. Guildma is known by its multiple-staged infection chain and evasion techniques to reach victim’s data and exfiltrate them. In a previous diary [1] at Morphus Labs, we analyzed a Guildma variant which employed an innovative strategy to stay active, using Facebook and YouTube to get a new list of its C2 servers. --------------------------------------------- https://isc.sans.edu/diary/rss/27482 ∗∗∗ Evadere Classifications ∗∗∗ --------------------------------------------- The term evasion is derived from the Latin word "evadere" which means - "To escape, to get away." The DOD defines evasion as - "The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control." [...] This made me think - what does evasion or bypass truly mean? Are there different categories that these evasion techniques fit into? Lastly, if these techniques are to fit into categories - how can detection engineers leverage these for engagements? --------------------------------------------- https://posts.specterops.io/evadere-classifications-8851a429c94b ∗∗∗ Revisiting the NSIS-based crypter ∗∗∗ --------------------------------------------- In this blog we look at the constantly evolving NSIS crypter which malware authors have been leveraging as a flexible tool to pack and encrypt their samples. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-b… ∗∗∗ TeamTNT botnet makes 50,000 victims over the last three months ∗∗∗ --------------------------------------------- TeamTNT, a crypto-mining botnet specialized in infecting misconfigured Docker and Kubernetes platforms, has compromised more than 50,000 systems over the last three months, between March and May 2021, security firm Trend Micro said last week. --------------------------------------------- https://therecord.media/teamtnt-botnet-makes-50000-victims-over-the-last-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 ∗∗∗ --------------------------------------------- On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of this vulnerability, see lasso.git NEWS. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cflow, chromium, eterm, gnutls, and kernel), Mageia (kernel and kernel-linus), Oracle (glib2), Red Hat (glib2, kernel, kernel-rt, and kpatch-patch), SUSE (curl, djvulibre, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, nginx, python-httplib2, and slurm), and Ubuntu (gupnp, libwebp, postgresql-10, postgresql-12, postgresql-13, and python3.8). --------------------------------------------- https://lwn.net/Articles/857830/ ∗∗∗ Security Bulletin: A format string security vulnerability has been identified in IBM Spectrum Scale (CVE-2021-29740) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-format-string-security-… ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2021
by Daily end-of-shift report 31 May '21

31 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-05-2021 18:00 − Montag 31-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager ∗∗∗ --------------------------------------------- Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen. --------------------------------------------- https://heise.de/-6057794 ∗∗∗ Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen ∗∗∗ --------------------------------------------- Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden. --------------------------------------------- https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vla… ∗∗∗ Threat spotlight: Conti, the ransomware used in the HSE healthcare attack ∗∗∗ --------------------------------------------- [...] In this blog, we’ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-con… ∗∗∗ PoC published for new Microsoft PatchGuard (KPP) bypass ∗∗∗ --------------------------------------------- A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. --------------------------------------------- https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypa… ∗∗∗ WooCommerce Credit Card Skimmer Hides in Plain Sight ∗∗∗ --------------------------------------------- Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration. --------------------------------------------- https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html ∗∗∗ On the Taxonomy and Evolution of Ransomware ∗∗∗ --------------------------------------------- Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge. --------------------------------------------- https://threatpost.com/taxonomy-evolution-ransomware/166462/ ∗∗∗ Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) ∗∗∗ --------------------------------------------- In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27472 ∗∗∗ Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) ∗∗∗ --------------------------------------------- New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released. --------------------------------------------- https://isc.sans.edu/diary/rss/27476 ∗∗∗ Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th) ∗∗∗ --------------------------------------------- One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS. --------------------------------------------- https://isc.sans.edu/diary/rss/27478 ∗∗∗ IT threat evolution Q1 2021 ∗∗∗ --------------------------------------------- SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021/102382/ ∗∗∗ IT threat evolution Q1 2021. Mobile statistics ∗∗∗ --------------------------------------------- In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/ ∗∗∗ IT threat evolution Q1 2021. Non-mobile statistics ∗∗∗ --------------------------------------------- In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/10… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4). --------------------------------------------- https://lwn.net/Articles/857737/ ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2021
by Daily end-of-shift report 28 May '21

28 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-05-2021 18:00 − Freitag 28-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI to share compromised passwords with Have I Been Pwned ∗∗∗ --------------------------------------------- The FBI will soon begin to share compromised passwords with Have I Been Pwneds Password Pwned service that were discovered during law enforcement investigations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-pas… ∗∗∗ Ransomware gangs slow decryptors prompt victims to seek alternatives ∗∗∗ --------------------------------------------- Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victims network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryp… ∗∗∗ Tracking BokBot (a.k.a. IcedID) Infrastructure ∗∗∗ --------------------------------------------- BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware. --------------------------------------------- https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/ ∗∗∗ Malicious PowerShell Hosted on script.google.com, (Fri, May 28th) ∗∗∗ --------------------------------------------- Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27468 ∗∗∗ Jetzt patchen! Kritische Lücke in HPE SIM geschlossen ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für Hewlett Packard Enterprise Systems Insight Manager (SIM) erschienen. --------------------------------------------- https://heise.de/-6056415 ∗∗∗ Falsifying and weaponizing certified PDFs ∗∗∗ --------------------------------------------- Certified PDFs are supposed to control modifications so that recipients know they havent been tampered with. It doesnt always work. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/falsifyi… ∗∗∗ Do you know your OpSec? ∗∗∗ --------------------------------------------- Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/do-you-know-your-opsec/ ∗∗∗ Urlaubsreif? Buchen Sie nicht über ferienhauspartner.co, fewopartner.co, holidaypartner.co & ferienpartner.co! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach ein Urlaubsdomizil für den nahenden Sommer? Wenn ja, könnten Sie auf betrügerische Webseiten stoßen. Denn Kriminelle bieten derzeit Ferienhäuser und Ferienwohnungen in Deutschland und Dänemark an, die per Vorkasse gebucht werden können. Doch Vorsicht: Das bezahlte Geld landet direkt in den Händen der Kriminellen, eine aufrechte Buchung gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsreif-buchen-sie-nicht-ueber-f… ∗∗∗ MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone ∗∗∗ --------------------------------------------- To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/mobile-inter/ ∗∗∗ Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat ∗∗∗ --------------------------------------------- A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape. --------------------------------------------- https://unit42.paloaltonetworks.com/docker-honeypot/ ∗∗∗ CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier ∗∗∗ --------------------------------------------- In April 2021, the ZDI received a Linux kernel submission that turned out to be an incorrect bounds calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. This bug was submitted to the program by Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf). Manfred Paul had successfully exploited two other eBPF verifier bugs in Pwn2Own 2020 and 2021 respectively. --------------------------------------------- https://www.thezdi.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-ca… ∗∗∗ The Race to Native Code Execution in PLCs ∗∗∗ --------------------------------------------- Claroty has found a severe memory protection bypass vulnerability (CVE-2020-15782) in Siemens PLCs, the SIMATIC S7-1200 and S7-1500. An attacker could abuse this vulnerability on PLCs with disabled access protection to gain read and write access anywhere on the PLC and remotely execute malicious code. --------------------------------------------- https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-… ∗∗∗ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns ∗∗∗ --------------------------------------------- On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs, Research Institutions, Government Agencies, International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL [...] --------------------------------------------- https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges customers to immediately patch NSM On-Prem bug ∗∗∗ --------------------------------------------- SonicWall urges customers to immediately patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-customers-to… ∗∗∗ SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families ∗∗∗ --------------------------------------------- SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-434534.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (chromium, curl, kernel, php-symfony3, php-symfony4, python-lxml, python-pip, and runc), Mageia (ceph and wireshark), openSUSE (mpv), Oracle (bind, idm:DL1, redis:6, slapi-nis, squid:4, and xorg-x11-server), SUSE (curl, nginx, postgresql10, postgresql12, postgresql13, slurm, slurm_18_08, and slurm_20_11), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/857581/ ∗∗∗ Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M ∗∗∗ --------------------------------------------- BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https. If a software update is not [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2021
by Daily end-of-shift report 27 May '21

27 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-05-2021 18:00 − Donnerstag 27-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Kriminelle fälschen „Grünen Pass“! ∗∗∗ --------------------------------------------- In Österreich wird bald der „Grüne Pass“ eingeführt, der den Zugang zu Gastronomie und körpernahen Dienstleistungen erleichtern soll. Dieser ist erst in der zweiten Juni-Woche verfügbar, doch Kriminelle verbreiten bereits jetzt eine „Variante“ des Grünen Passes. Wir gehen davon aus, dass dabei personenbezogene Daten abgegriffen werden. Wer die unseriöse App als gültigen Impf-, Test- oder Genesungsnachweis verwendet, könnte könnte sich außerdem strafbar machen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-faelschen-gruenen… ∗∗∗ Exploit veröffentlicht: Gefixte WebKit-Schwachstelle steht auf iPhones offen ∗∗∗ --------------------------------------------- Ein Patch im Open-Source-Unterbau aller iOS-Browser ist selbst nach Wochen noch nicht in Apples Betriebssysteme eingeflossen, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-6055716 ∗∗∗ BazaLoader Masquerades as Movie-Streaming Service ∗∗∗ --------------------------------------------- The website for “BravoMovies” features fake movie posters and a FAQ with a rigged Excel spreadsheet for “cancelling” the service, but all it downloads is malware. --------------------------------------------- https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/ ∗∗∗ “Unpatchable” vuln in Apple’s new Mac chip – what you need to know ∗∗∗ --------------------------------------------- Its all over the news! The bug you cant fix! Fortunately, you dont need to. We explain why. --------------------------------------------- https://nakedsecurity.sophos.com/2021/05/27/unpatchable-vuln-in-apples-new-… ∗∗∗ Analysis report of the Facefish rootkit ∗∗∗ --------------------------------------------- In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some China areas, we discovered there is literarily 0 hit for the C2 traffic. --------------------------------------------- https://blog.netlab.360.com/ssh_stealer_facefish_en/ ∗∗∗ All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th) ∗∗∗ --------------------------------------------- Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years - from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. --------------------------------------------- https://isc.sans.edu/diary/rss/27466 ∗∗∗ Saving Your Access ∗∗∗ --------------------------------------------- After revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. --------------------------------------------- https://posts.specterops.io/saving-your-access-d562bf5bf90b ∗∗∗ Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises ∗∗∗ --------------------------------------------- Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophist… ===================== = Vulnerabilities = ===================== ∗∗∗ HPE fixes critical zero-day vulnerability disclosed in December ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability disclosed last year, in December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-fixes-critical-zero-day-… ∗∗∗ Drupal: Update schließt Cross-Site-Scripting-Lücke in mehreren CMS-Versionen ∗∗∗ --------------------------------------------- Die Programmbibliothek CKEditor, die vom Drupal-Core verwendet wird, barg unter bestimmten Umständen Angriffsmöglichkeiten. Für Core & Library gibt es Updates. --------------------------------------------- https://heise.de/-6055672 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx). --------------------------------------------- https://lwn.net/Articles/857460/ ∗∗∗ Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say. --------------------------------------------- https://www.securityweek.com/vulnerabilities-visual-studio-code-extensions-… ∗∗∗ GENIVI Alliance DLT ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in GENIVI Alliance DLT-Daemon software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-01 ∗∗∗ Johnson Controls Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics VideoEdge surveillance systems. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-02 ∗∗∗ Siemens JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Out-of-bounds Read, and Stack-based Buffer Overflow vulnerabilities in Siemens JT2Go and Teamcenter Visualization products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-04 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric iQ-R Series CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-05 ∗∗∗ Internet Systems Consortium DHCP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0587 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050156 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050155 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-aff… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in IBM® Runtime Environment Java™ Technology Edition. (CVE-2020-14779) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2020-10733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2021
by Daily end-of-shift report 26 May '21

26 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-05-2021 18:00 − Mittwoch 26-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaspersky Security Bulletin 2020-2021. EU statistics ∗∗∗ --------------------------------------------- The statistics in this report cover the period from May 2020 to April 2021, inclusive. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/… ∗∗∗ Smart lighting security ∗∗∗ --------------------------------------------- RJ45 connections delivering Power over Ethernet are becoming prevalent in light fittings, a result of the lower power demands from LED fittings. This creates potential for uninformed installers to inadvertently bridge network security controls through connecting the light fittings to existing networking equipment. ... Radio protocols can also lead to compromise if not done securely; Bluetooth Classic, BLE, Z-Wave and many other protocols can be exploited if not configured correctly. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-lighting-security/ ∗∗∗ The Attack Path Management Manifesto ∗∗∗ --------------------------------------------- The primary goal of Attack Path Management (APM) is to directly solve the problem of Attack Paths. Today, the problem of Attack Paths is felt most acutely in the world of Microsoft Active Directory and Azure Active Directory. These platforms provide the greatest payoff for attackers, since taking control of the fundamental identity platform for an enterprise grants full control of all users, systems, and data in that enterprise --------------------------------------------- https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5 ∗∗∗ CVE-2021-22909- Digging into a Ubiquiti Firmware Update bug ∗∗∗ --------------------------------------------- Back In February, Ubiquiti released a new firmware update for the Ubiquiti EdgeRouter, fixing CVE-2021-22909/ZDI-21-601. The vulnerability lies in the firmware update procedure and allows a man-in-the-middle (MiTM) attacker to execute code as root on the device by serving a malicious firmware image when the system performs an automatic firmware update. ... The impact of this vulnerability is quite nuanced and worthy of further discussion. --------------------------------------------- https://www.thezdi.com/blog/2021/5/24/cve-2021-22909-digging-into-a-ubiquit… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ CVE-2020-14145 ∗∗∗ --------------------------------------------- A vulnerability in OpenSSH <= 8.6 allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. Using this information leak it is possible to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack. [...] At the moment, the only option to mitigate this vulnerability is to set HostKeyAlgorithms in your config file. --------------------------------------------- https://docs.ssh-mitm.at/CVE-2020-14145.html ∗∗∗ Sicherheitsupdates: Kritische Schadcode-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Die Servermanagementsoftware vCenter Server ist verwundbar. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6054003 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (djvulibre, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gupnp, hivex, lz4, matrix-synapse, prometheus, python-pydantic, runc, thunderbird, and websvn), Fedora (composer, moodle, and wordpress), Gentoo (bash, boost, busybox, containerd, curl, dnsmasq, ffmpeg, firejail, gnome-autoar, gptfdisk, icu, lcms, libX11, mariadb, mumble, mupdf, mutt, mysql, nettle, nextcloud-client, opensmtpd, openssh, openvpn, php, postgresql, prosody, rxvt-unicode, samba, screen, smarty, spamassassin, squid, stunnel, tar, tcpreplay, telegram-desktop), openSUSE (Botan), Red Hat (kernel), Slackware (gnutls), SUSE (hivex, libu2f-host, rubygem-actionpack-5_1), Ubuntu (apport, exiv2, libx11). --------------------------------------------- https://lwn.net/Articles/857352/ ∗∗∗ Cisco ADE-OS Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-119468: Luxion KeyShot Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-119468.txt ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Improper Licenses Management Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: Data protection rules and policies are not enforced on virtualized objects ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-protection-rules-and… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2021-20487 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-license-key-server-ad… ∗∗∗ Overview of NGINX vulnerabilities (May 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52559937?utm_source=f5support&utm_mediu… ∗∗∗ NGINX Plus and Open Source vulnerability CVE-2021-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12331123?utm_source=f5support&utm_mediu… ∗∗∗ Datakit Libraries bundled in Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 ∗∗∗ Rockwell Automation Micro800 and MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2021
by Daily end-of-shift report 25 May '21

25 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-05-2021 18:00 − Dienstag 25-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-… ∗∗∗ Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-6052749 ∗∗∗ Qnap sichert NAS spät gegen Qlocker-Attacken ab ∗∗∗ --------------------------------------------- Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches. --------------------------------------------- https://heise.de/-6052783 ∗∗∗ Evolution of JSWorm ransomware ∗∗∗ --------------------------------------------- There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm. --------------------------------------------- https://securelist.com/evolution-of-jsworm-ransomware/102428/ ∗∗∗ "Serverless" Phishing Campaign, (Sat, May 22nd) ∗∗∗ --------------------------------------------- The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code. --------------------------------------------- https://isc.sans.edu/diary/rss/27446 ∗∗∗ Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd) ∗∗∗ --------------------------------------------- Brad posted another malware analysis with capture file of Cobalt Strike traffic. --------------------------------------------- https://isc.sans.edu/diary/rss/27448 ∗∗∗ Web Applications and Internal Penetration Tests ∗∗∗ --------------------------------------------- Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applica… ∗∗∗ Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS --------------------------------------------- https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.ht… ∗∗∗ OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ∗∗∗ --------------------------------------------- Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit. --------------------------------------------- https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticat… ∗∗∗ DarkChronicles: the consequences of the Colonial Pipeline attack ∗∗∗ --------------------------------------------- This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-conseq… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ VU#667933: Pulse Connect Secure Samba buffer overflow ∗∗∗ --------------------------------------------- Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code. --------------------------------------------- https://kb.cert.org/vuls/id/667933 ∗∗∗ Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen. --------------------------------------------- https://heise.de/-6053146 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat). --------------------------------------------- https://lwn.net/Articles/857132/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby). --------------------------------------------- https://lwn.net/Articles/857212/ ∗∗∗ [20210503] - Core - CSRF in data download endpoints ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-… ∗∗∗ [20210502] - Core - CSRF in AJAX reordering endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-… ∗∗∗ [20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/852-20210501-core-adding-h… ∗∗∗ Pulse Secure VPNs Get Quick Fix for Critical RCE ∗∗∗ --------------------------------------------- https://threatpost.com/pulse-secure-vpns-critical-rce/166437/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ NGINX Controller vulnerability CVE-2021-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97002210 ∗∗∗ NGINX Controller vulnerability CVE-2021-23021 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36926027 ∗∗∗ NGINX Controller vulnerability CVE-2021-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45263486 ∗∗∗ SYSS-2021-010: Path Traversal in LANCOM R&S Unified Firewalls ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-010-path-traversal-in-lancom-rs-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2021
by Daily end-of-shift report 21 May '21

21 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-05-2021 18:00 − Freitag 21-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mail-Verschlüsselung: Thunderbird schlampte mit PGP-Schlüsseln ∗∗∗ --------------------------------------------- Die OpenPGP-Implementierung des Open-Source-Mailers Thunderbird speicherte die geheimen Schlüssel im Klartext. --------------------------------------------- https://heise.de/-6051767 ∗∗∗ QNAP confirms Qlocker ransomware used HBS backdoor account ∗∗∗ --------------------------------------------- QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-confirms-qlocker-ransom… ∗∗∗ Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st) ∗∗∗ --------------------------------------------- For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is to make our life more difficult (read: "frustrating"). There are plenty of techniques that can be implemented but it's an ever-ongoing process. --------------------------------------------- https://isc.sans.edu/diary/rss/27444 ∗∗∗ Double-Encrypting Ransomware ∗∗∗ --------------------------------------------- This seems to be a new tactic: Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything. --------------------------------------------- https://www.schneier.com/blog/archives/2021/05/double-encrypting-ransomware… ∗∗∗ 21nails: Reporting on Vulnerable SMTP/Exim Servers ∗∗∗ --------------------------------------------- We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner [...] --------------------------------------------- https://www.shadowserver.org/news/21nails-reporting-on-vulnerable-smtp-exim… ∗∗∗ Project Zero: Fuzzing iOS code on macOS at native speed ∗∗∗ --------------------------------------------- This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at… ∗∗∗ Microsoft Unveils SimuLand: Open Source Attack Techniques Simulator ∗∗∗ --------------------------------------------- Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. --------------------------------------------- https://www.securityweek.com/microsoft-unveils-simuland-open-source-attack-… ∗∗∗ Getting a persistent shell on a 747 IFE ∗∗∗ --------------------------------------------- TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/getting-a-persistent-shell-on… ∗∗∗ New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th) ∗∗∗ --------------------------------------------- [...] I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. --------------------------------------------- https://isc.sans.edu/diary/rss/27440 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Heap-based buffer overflow in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-hea… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine). --------------------------------------------- https://lwn.net/Articles/856902/ ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerabilitiy has been fixed in IBM Security Identity Manager Virtual Appliance(CVE-2019-17006) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilitiy… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by an Information disclosure vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which could allow access to sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily