Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - 02.03.2021
by Daily end-of-shift report 02 Mar '21

02 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-03-2021 18:00 − Dienstag 02-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ European e-ticketing platform Ticketcounter extorted in data breach ∗∗∗ --------------------------------------------- A Dutch e-Ticketing platform has suffered a data breach after a user database containing 1.9 million unique email addresses was stolen from an unsecured staging server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-e-ticketing-platfor… ∗∗∗ Bruce Schneier: Auch das Wirtschaftssystem trägt Schuld am Solarwinds-Hack ∗∗∗ --------------------------------------------- Mit schlechter IT-Sicherheit würden Gewinne gemacht, während Verbraucher und Gesellschaft die Risiken trügen. Das muss sich laut Schneier ändern. --------------------------------------------- https://www.golem.de/news/bruce-schneier-auch-das-wirtschaftssystem-traegt-… ∗∗∗ Inside the Ransomware Economy ∗∗∗ --------------------------------------------- The trouble with ransomware is well known at this point. From Egregor to Doppelpaymer to Ryuk, it continues to command headlines. Pandemic-fueled phishing scams, the lack of visibility across remote endpoints, and lax attitudes have been a boon for ransomware groups over the last year. Worst of all, ransomware no longer discriminates. It dominates small towns and municipal offices, video game makers, and shamelessly, healthcare organizations and school systems already pushed to the brink by the COVID-19 pandemic. The threat could still become more pervasive over the next two to three years, not because ransomware is effective in and of itself but because of other players in the game - insurance companies, brokers, and even attorneys - that continue to fan the flames. --------------------------------------------- https://www.securityweek.com/inside-ransomware-economy ∗∗∗ Einreiseanmeldung für Deutschland nicht über „digitale-einreiseanmeldung.de“ vornehmen ∗∗∗ --------------------------------------------- Die Corona-Pandemie erschwert die Einreise in andere Länder erheblich. Für eine Reise nach Deutschland muss beispielsweise unter Umständen zuvor eine digitale Einreisanmeldung vorgenommen werden. Bei der Recherche über Einreisebestimmungen stoßen Reisende jedoch oftmals auf unseriöse Websites, die die digitale Einreisanmeldung kostenpflichtig anbieten. Nehmen Sie von kostenpflichtigen Angeboten zur Einreiseanmeldung Abstand. Es ist unklar, ob diese Anbieter Ihre [...] --------------------------------------------- https://www.watchlist-internet.at/news/einreiseanmeldung-fuer-deutschland-n… ∗∗∗ Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns ∗∗∗ --------------------------------------------- Cybercriminals use fast flux to maintain uptime for malicious activities. We show how it works in a fictional scenario and real-world case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/fast-flux-101/ ∗∗∗ Povlsomware Ransomware ∗∗∗ --------------------------------------------- Povlsomware markets itself as a proof-of-concept (POC) ransomware designed to test security vendor products. Trend Micro reports on some interesting capabilities associated with the malware. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e7d232e9df181a3c873c3eaeb56… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin - March 2021 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2021-03-01 ∗∗∗ Zehn Sicherheitslücken in Server-Konfigurationssoftware Saltstack geschlossen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Serversoftware Saltstack. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-5069120 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/847944/ ∗∗∗ Joomla! Security Announcements ∗∗∗ --------------------------------------------- [20210301] - Core - Insecure randomness within 2FA secret generation https://developer.joomla.org:443/security-centre/841-20210301-core-insecure… [20210302] - Core - Potential Insecure FOFEncryptRandval https://developer.joomla.org:443/security-centre/842-20210302-core-potentia… [20210303] - Core - XSS within alert messages showed to users https://developer.joomla.org:443/security-centre/843-20210303-core-xss-with… [20210304] - Core - XSS within the feed parser library https://developer.joomla.org:443/security-centre/844-20210304-core-xss-with… [20210305] - Core - Input validation within the template manager https://developer.joomla.org:443/security-centre/845-20210305-core-input-va… [20210306] - Core - com_media allowed paths that are not intended for image uploads https://developer.joomla.org:443/security-centre/846-20210306-core-com-medi… [20210307] - Core - ACL violation within com_content frontend editing https://developer.joomla.org:443/security-centre/847-20210307-core-acl-viol… [20210308] - Core - Path Traversal within joomla/archive zip class https://developer.joomla.org:443/security-centre/848-20210308-core-path-tra… [20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field https://developer.joomla.org:443/security-centre/849-20210309-core-inadequa… --------------------------------------------- https://developer.joomla.org/security-centre.html ∗∗∗ Linux NFS kernel vulnerablity CVE-2020-25212 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42355373 ∗∗∗ [webapps] Tiny Tiny RSS - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49606 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center has addressed multiple vulnerabilities (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: Datacap Taskmaster Capture is affected by vulnerable to AppScan's SSLv3 Client Hello with CBC cipher suites that contain TLS_FALLBACK_SCSV ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-captur… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2021
by Daily end-of-shift report 01 Mar '21

01 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-02-2021 18:00 − Montag 01-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ryuk ransomware now self-spreads to other Windows LAN devices ∗∗∗ --------------------------------------------- A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spr… ∗∗∗ Mobile malware evolution 2020 ∗∗∗ --------------------------------------------- In 2020, Kaspersky mobile products and technologies detected 156,710 new mobile banking Trojans and 20,708 new mobile ransomware Trojans. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2020/101029/ ∗∗∗ Maldocs: Protection Passwords, (Sun, Feb 28th) ∗∗∗ --------------------------------------------- In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/27146 ∗∗∗ Top 5 der simpelsten und effektivsten Maßnahmen, um Hackerangriffen vorzubeugen ∗∗∗ --------------------------------------------- Ganz egal mit welcher Art von Angreifer man es zu tun hat, die Schritte von der initialen Kompromittierung bis hin zur vollständigen "Domain Dominance" folgen gleichen Mustern. --------------------------------------------- https://sec-consult.com/de/blog/detail/top-5-der-simpelsten-und-effektivste… ∗∗∗ Akute Angriffswelle auf Fritzbox-Nutzer, jetzt handeln! ∗∗∗ --------------------------------------------- Mysteriöse Zugriffsversuche von der IP-Adresse 185.232.52.55 verunsichern derzeit zahlreiche Fritzbox-Nutzer. Schützen Sie Ihren Router vor der Angriffswelle. --------------------------------------------- https://heise.de/-5068111 ∗∗∗ New ICS Threat Activity Group: KAMACITE ∗∗∗ --------------------------------------------- The new KAMACITE activity group represents a long-running set of related behaviors targeting electric utilities, oil and gas operations, and various manufacturing since at least 2014. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kam… ∗∗∗ Free cybersecurity tool aims to help smaller businesses stay safer online ∗∗∗ --------------------------------------------- NCSC tool aims to help small businesses develop a strategy to protect themselves from cyber crime. --------------------------------------------- https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-… ∗∗∗ Laravel Apps Leaking Secrets ∗∗∗ --------------------------------------------- An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. --------------------------------------------- https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/ ∗∗∗ Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures ∗∗∗ --------------------------------------------- New versions of the MINEBRIDGE RAT were discovered and analyzed by Zscaler researchers. Their findings on the TTPs, attribution, C2 infrastructure, and attack flow are published in a recent blog. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/256c2e722c138ff5a1a711314fc… ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Schwachstelle in Genua GenuGate High Resistance Firewall ∗∗∗ --------------------------------------------- Die Genua GenuGate High Resistance Firewall ist von einer kritischen Authentication Bypass Schwachstelle betroffen. Ein unauthentifizierter Angreifer kann sich durch Manipulation bestimmter HTTP POST Parameter beim Login als beliebiger Benutzer im Admin-Webinterface, Sidechannel Web und Userweb Interface, anmelden und somit die höchsten Rechte (root) erlangen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Google shares PoC exploit for critical Windows 10 Graphics RCE bug ∗∗∗ --------------------------------------------- Project Zero, Googles 0day bug-hunting team, shared technical details and proof-of-concept (PoC) exploit code for a critical remote code execution (RCE) bug affecting a Windows graphics component. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-shares-poc-exploit-fo… ∗∗∗ D-LinkGATE Remote Code Execution ∗∗∗ --------------------------------------------- CVE-Nummern: CVE-2021-27249, CVE-2021-27250 Product: DAP-2020 (Since the vulnerability affects a core component further models might be subject to this vulnerability) Vulnerabilities: - Blind RCE - Blind RCE to full RCE escalation - Log Injection - Arbitrary File Read - Arbitrary File upload - LPE [...] --------------------------------------------- https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint). --------------------------------------------- https://lwn.net/Articles/847778/ ∗∗∗ Minion privilege escalation exploit patched in SaltStack Salt project ∗∗∗ --------------------------------------------- The bug permitted attackers to perform privilege escalation attacks in the automation software. --------------------------------------------- https://www.zdnet.com/article/minion-hijacking-flaw-patched-in-saltstack-sa… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2021
by Daily end-of-shift report 26 Feb '21

26 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-02-2021 18:00 − Freitag 26-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ So where did those Satori attacks come from?, (Thu, Feb 25th) ∗∗∗ --------------------------------------------- Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on port 26. --------------------------------------------- https://isc.sans.edu/diary/rss/27140 ∗∗∗ SQL Triggers in Website Backdoors ∗∗∗ --------------------------------------------- Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables — for example, wp_users, wp_options, and wp_posts. --------------------------------------------- https://blog.sucuri.net/2021/02/sql-triggers-in-website-backdoors.html ∗∗∗ ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process ∗∗∗ --------------------------------------------- Researchers have uncovered gaps in Amazons skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. --------------------------------------------- https://thehackernews.com/2021/02/alert-malicious-amazon-alexa-skills-can.h… ∗∗∗ So Unchill: Melting UNC2198 ICEDID to Ransomware Operations ∗∗∗ --------------------------------------------- Since its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target banking credentials. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid… ∗∗∗ SilentFade virus strikes, Cyberstalking and Ransom user ∗∗∗ --------------------------------------------- Recently, 360 Security Center monitored that the SlientFade virus was bundled with pirated software to spread. The infected users were mainly distributed in Malaysia, India, [...] --------------------------------------------- https://blog.360totalsecurity.com/en/silentfade-virus-strikes-cyberstalking… ∗∗∗ Microsoft Releases Open Source Resources for Solorigate Threat Hunting ∗∗∗ --------------------------------------------- Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack. --------------------------------------------- https://www.securityweek.com/microsoft-releases-open-source-resources-solor… ∗∗∗ Kettenbrief-Alarm: Angebliches Amazon-Gewinnspiel macht auf WhatsApp die Runde! ∗∗∗ --------------------------------------------- Auf WhatsApp wird derzeit ein Link verschickt mit einem Gewinn-Versprechen anlässlich des angeblichen 30-Jahr-Jubiläums von Amazon. Wir haben uns die Nachricht und den Link genauer angeschaut. Unser Fazit: Es handelt sich um einen klassischen Kettenbrief. Gewinn erhalten Sie dabei keinen, stattdessen müssen Sie eine gefährliche App herunterladen. --------------------------------------------- https://www.watchlist-internet.at/news/kettenbrief-alarm-angebliches-amazon… ∗∗∗ Go malware is now common, having been adopted by both APTs and e-crime groups ∗∗∗ --------------------------------------------- There's been a 2,000% increase of new malware written in Go over the past few years. --------------------------------------------- https://www.zdnet.com/article/go-malware-is-now-common-having-been-adopted-… ∗∗∗ New Phishing Attack Using Malformed URL Prefixes ∗∗∗ --------------------------------------------- GreatHorn reports on a phishing technique that leverages malformed URL prefixes to bypass security scanners. Many security scanners use pattern recognition to identify URLs, thus expecting the presence of "http://" to identify them. However, the URL specification technically does not require the "//" in order to visit a URL. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c52464bd46eb48e4c5741df9e1b… ===================== = Vulnerabilities = ===================== ∗∗∗ Google looks at bypass in Chromiums ASLR security defense, throws hands up, wont patch garbage issue ∗∗∗ --------------------------------------------- In early November, a developer contributing to Googles open-source Chromium project reported a problem with Oilpan, the garbage collector for the browsers Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_… ∗∗∗ Security Advisory for Multiple Vulnerabilities on Some Routers, Satellites, and Extenders ∗∗∗ --------------------------------------------- NETGEAR has released fixes for multiple security vulnerabilities on the following product models: BR200, running firmware versions prior to 5.10.0.5 BR500, running firmware versions prior to 5.10.0.5 D7800, running firmware versions prior to 1.0.1.60 EX6100v2, running firmware versions prior to 1.0.1.98 EX6150v2, running firmware versions prior to 1.0.1.98 EX6250, running firmware versions prior to 1.0.0.134 EX6400, running firmware versions prior to 1.0.2.158 EX6400v2, running firmware versions prior to 1.0.0.134 EX6410, running firmware versions prior to 1.0.0.134 EX6420, running firmware versions prior to 1.0.0.134 EX7300, running firmware versions prior to 1.0.2.158 EX7300v2, running firmware versions prior to 1.0.0.134 EX7320, running firmware versions prior to 1.0.0.134 EX7700, running firmware versions prior to 1.0.0.216 EX8000, running firmware versions prior to 1.0.1.232 LBR20, running firmware versions prior to 2.6.3.50 R7800, running firmware versions prior to 1.0.2.80 R8900, running firmware versions prior to 1.0.5.28 R9000, running firmware versions prior to 1.0.5.28 RBK12, running firmware versions prior to 2.7.2.104 RBK13, running firmware versions prior to 2.7.2.104 RBK14, running firmware versions prior to 2.7.2.104 RBK15, running firmware versions prior to 2.7.2.104 RBK20, running firmware versions prior to 2.6.2.104 RBK23, running firmware versions prior to 2.7.2.104 RBK40, running firmware versions prior to 2.6.2.104 RBK43, running firmware versions prior to 2.6.2.104 RBK43S, running firmware versions prior to 2.6.2.104 RBK44, running firmware versions prior to 2.6.2.104 RBK50, running firmware versions prior to 2.7.2.104 RBK53, running firmware versions prior to 2.7.2.104 RBR10, running firmware versions prior to 2.6.2.104 RBR20, running firmware versions prior to 2.6.2.104 RBR40, running firmware versions prior to 2.6.2.104 RBR50, running firmware versions prior to 2.7.2.104 RBS10, running firmware versions prior to 2.6.2.104 RBS20, running firmware versions prior to 2.6.2.104 RBS40, running firmware versions prior to 2.6.2.104 RBS50, running firmware versions prior to 2.7.2.104 RBS50Y, running firmware versions prior to 2.6.2.104 XR450, running firmware versions prior to 2.3.2.114 XR500, running firmware versions prior to 2.3.2.114 XR700, running firmware versions prior to 1.0.1.38 NETGEAR strongly recommends that you download the latest firmware as soon as possible. --------------------------------------------- https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabili… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff). --------------------------------------------- https://lwn.net/Articles/847581/ ∗∗∗ PerFact OpenVPN-Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-01 ∗∗∗ Fatek FvDesigner ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in Fatek FvDesigner software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-02 ∗∗∗ Rockwell Automation Logix Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 ∗∗∗ ProSoft Technology ICX35 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04 ∗∗∗ GeNUA GeNUGate: Nicht spezifizierte Schwachstelle ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0217 ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26950) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14779, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – OpenSSL (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15683) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15677) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26951) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is using opensaml-2.6.4.jar that could be vulnerable to bypass security restrictions (CVE-2015-1796) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2021
by Daily end-of-shift report 25 Feb '21

25 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-02-2021 18:00 − Donnerstag 25-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Attackers scan for vulnerable VMware servers after PoC exploit release ∗∗∗ --------------------------------------------- After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerabl… ∗∗∗ Lazarus targets defense industry with ThreatNeedle ∗∗∗ --------------------------------------------- In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns. --------------------------------------------- https://securelist.com/lazarus-threatneedle/100803/ ∗∗∗ Forensicating Azure VMs, (Thu, Feb 25th) ∗∗∗ --------------------------------------------- With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm. --------------------------------------------- https://isc.sans.edu/diary/rss/27136 ∗∗∗ Cisco schließt drei kritische, aus der Ferne ausnutzbare Sicherheitslücken ∗∗∗ --------------------------------------------- Jetzt updaten: Im ACI Multi-Site Orchestrator (MSO), in der Application Services Engine und in Nexus-Switches klaff(t)en Remote-Lücken mit "Critical"-Wertung. --------------------------------------------- https://heise.de/-5065055 ∗∗∗ Babuk Ransomware ∗∗∗ --------------------------------------------- Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/ ∗∗∗ DarkWorld Ransomware ∗∗∗ --------------------------------------------- Recently, 360 Security Center detected a ransomware that disguised commonly used software and appeared on the network. The virus called itself DarkWorld in the [...] --------------------------------------------- https://blog.360totalsecurity.com/en/darkworld-ransomware/ ∗∗∗ Vorsicht: Beim Shoppen auf falinas.com, falinas.de und falinas.at schließen Sie ein Abo ab! ∗∗∗ --------------------------------------------- Derzeit erreichen uns zahlreiche Meldungen, die vor dem Online-Shop falinas.com warnen. Der Online-Shop ist auch unter falinas.de und falinas.at erreichbar. Die Masche ist auf allen Seiten die gleiche. Man kauft eine der vielen Marken-Beautyprodukte zu einem günstigen Preis. Erst später bemerken die KonsumentInnen, dass sie damit ein teures Abo abgeschlossen haben. Wir empfehlen: Lassen Sie lieber die Finger von falinas.com. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-shoppen-auf-falinascom… ∗∗∗ This chart shows the connections between cybercrime groups ∗∗∗ --------------------------------------------- CrowdStrike puts together a list of connections and how cybercrime groups cooperate with each other. --------------------------------------------- https://www.zdnet.com/article/this-chart-shows-the-connections-between-cybe… ∗∗∗ Google Mail Merge Impersonation ∗∗∗ --------------------------------------------- A recent phishing campaign detected by Abnormal Security attempts to steal Outlook credentials through a Google Mail merge lure. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/eaf477f5b5f77df91462fd850ef… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, [...] --------------------------------------------- https://lwn.net/Articles/847390/ ∗∗∗ Node.js vulnerability CVE-2020-8277 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K07944249 ∗∗∗ Security Bulletin: Vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-linux-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14803, CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: Multiple IBM Java Runtime Vulnerabilities Affect IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-java-runtime… ∗∗∗ Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-filenet-content-manag… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnera… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2021
by Daily end-of-shift report 24 Feb '21

24 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-02-2021 18:00 − Mittwoch 24-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Finnish IT services giant TietoEVRY discloses ransomware attack ∗∗∗ --------------------------------------------- Finnish IT services giant TietoEVRY has suffered a ransomware attack that forced them to disconnect clients services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/finnish-it-services-giant-ti… ∗∗∗ Cyberkriminelle attackieren Krankenhäuser und Impfstoffhersteller ∗∗∗ --------------------------------------------- Die Corona-Pandemie wurde von Kriminellen genutzt, um Geld zu erpressen. Auch die Impfstoff-Lieferketten gerieten ins Visier. --------------------------------------------- https://futurezone.at/digital-life/ransomware-angriffe-auf-krankenhaeuser-n… ∗∗∗ Microsoft Lures Populate Half of Credential-Swiping Phishing Emails ∗∗∗ --------------------------------------------- As more organizations migrate to Office 365, cybercriminals are using Outlook, Teams and other Microsoft-themed phishing lures to swipe user credentials. --------------------------------------------- https://threatpost.com/microsoft-lures-credential-swiping-phishing-emails/1… ∗∗∗ Malspam pushes GuLoader for Remcos RAT, (Wed, Feb 24th) ∗∗∗ --------------------------------------------- Malicious spam (malspam) pushing GuLoader malware has been around for over a year now. GuLoader is a file downloader first observed in December 2019, and it has been used to distribute a wide variety of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/27132 ∗∗∗ Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks ∗∗∗ --------------------------------------------- New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks to deliver malware and exploit the accounting software. --------------------------------------------- https://thehackernews.com/2021/02/experts-warns-of-notable-increase-in.html ∗∗∗ 2020 ICS Cybersecurity Year in Review ∗∗∗ --------------------------------------------- The Dragos YIR report is an annual analysis of ICS/OT focused cyber threats, vulnerabilities, assessments, and incident response insights. --------------------------------------------- https://www.dragos.com/blog/industry-news/2020-ics-cybersecurity-year-in-re… ∗∗∗ New LazyScripter Hacking Group Targets Airlines ∗∗∗ --------------------------------------------- A recently identified threat actor that remained unnoticed for roughly two years appears focused on the targeting of airlines that are using the BSPLink financial settlement software made by the International Air Transport Association (IATA). --------------------------------------------- https://www.securityweek.com/new-lazyscripter-hacking-group-targets-airlines ∗∗∗ An Analysis of MassLogger v3 ∗∗∗ --------------------------------------------- Researchers from Avast have published a report on their analysis of the MassLogger v3 infostealing malware. The analysis focuses on the obfuscation of the final payload. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/8f1c8a4c335e11921fdc7a3f520… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Kritische Lücke aus VMware ESXi und vCenter Server beseitigt ∗∗∗ --------------------------------------------- Drei Sicherheitslücken mit Einstufungen von "Moderate" bis "Critical" betreffen neben ESXi und vCenter Server indirekt auch Cloud Foundation. Es gibt Updates. --------------------------------------------- https://heise.de/-5063860 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (firefox and tor), Oracle (stunnel and xterm), Red Hat (virt:8.2 and virt-devel:8.2 and xterm), SUSE (avahi, gnuplot, java-1_7_0-ibm, and pcp), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/847240/ ∗∗∗ Cisco Security Advisories 2021-02-24 ∗∗∗ --------------------------------------------- 3 Critical, 4 High, 5 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Privilege Escalation via sudo and Linux kernel in Bosch Rexroth Products ∗∗∗ --------------------------------------------- BOSCH-SA-372917: Linux kernel versions through 5.10.11 contain weaknesses which allow local users to execute code in the kernel with the potential to escalate privileges. The ctrlX CORE and the IoT Gateway both are shipped with vulnerable versions of those components. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-372917.html ∗∗∗ ZDI-21-249: (Pwn2Own) NETGEAR Nighthawk R7800 Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-249/ ∗∗∗ ZDI-21-248: (Pwn2Own) NETGEAR R7800 udchpd DHCP_REQUEST Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-248/ ∗∗∗ ZDI-21-247: NETGEAR Nighthawk R7800 ready-genie-cloud Insecure Download of Critical Component Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-247/ ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210218-… ∗∗∗ Security Advisory - Use After Free Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Bulletin: Clickjacking vulnerability identified in IBM Dependency Based Build server web UI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-clickjacking-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14797, CVE-2020-14779, CVE-2020-14796) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nodemailer module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple CVEs – Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabili… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus (CVE-2020-7760) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: OpenLDAP publicly disclosed vulnerabilities affects MessageGateway (CCVE-2020-36230, CVE-2020-36229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openldap-publicly-disclos… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to cookie spoofing (CVE-2019-12749) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nodemailer module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Rockwell Automation FactoryTalk Services Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-01 ∗∗∗ Advantech BB-ESWGP506-2SFP-T ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02 ∗∗∗ Advantech Spectre RT Industrial Routers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2021
by Daily end-of-shift report 23 Feb '21

23 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-02-2021 18:00 − Dienstag 23-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Achtung: Gefälschtes E-Mail von A1 über eine Belohnung für Mobilpoints führt in Abo-Falle ∗∗∗ --------------------------------------------- „Seit Sie unsere Dienste nutzen, haben Sie 29.039 Mobilpoints gesammelt. Dank dieser erhalten Sie als Belohnung ein Smartphone.“ Dieses Angebot wird angeblich von A1 per E-Mail unterbreitet. Doch Vorsicht: Dieses E-Mail stammt von Kriminellen. Wer diesem vermeintlichen Angebot Glauben schenkt und die Liefergebühren bezahlt, tappt in eine teure Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-gefaelschtes-e-mail-von-a1-u… ∗∗∗ Lessons Learned from SUNBURST for Threat Hunters ∗∗∗ --------------------------------------------- Practical advice from the DomainTools research team on how to approach adversary-based threat hunting, asset management, and incident response in the wake of the SUNBURST campaign. --------------------------------------------- https://www.domaintools.com/resources/blog/lessons-learned-from-sunburst-fo… ∗∗∗ Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd) ∗∗∗ --------------------------------------------- I wanted to take a look at Brad's malicious spreadsheet, using Excel inside a VM. --------------------------------------------- https://isc.sans.edu/diary/rss/27126 ∗∗∗ Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd) ∗∗∗ --------------------------------------------- Given its history, the Full Disclosure mailing list[1] is probably one of the best-known places on the internet where information about newly discovered vulnerabilities is may be published in a completely open way. If one wishes to inform the wider security community about a vulnerability one found in any piece of software, one only has to submit a post and after it is evaluated by the moderators, the information will be published to the list. --------------------------------------------- https://isc.sans.edu/diary/rss/27130 ∗∗∗ Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs ∗∗∗ --------------------------------------------- Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents. Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain [...] --------------------------------------------- https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html ∗∗∗ New article: Decompiling Excel Formula (XF) 4.0 malware ∗∗∗ --------------------------------------------- In a new article, researcher Kurt Natvig takes a close look at XF 4.0 malware. --------------------------------------------- https://www.virusbulletin.com/blog/2021/02/new-article-decompiling-excel-fo… ∗∗∗ Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion ∗∗∗ --------------------------------------------- Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploite… ∗∗∗ Checkout Skimmers Powered by Chip Cards ∗∗∗ --------------------------------------------- Easily the most sophisticated skimming devices made for hacking terminals at retail self-checkout lanes are a new breed of PIN pad overlay combined with a flexible, paper-thin device that fits inside the terminals chip reader slot. What enables these skimmers to be so slim? They draw their power from the low-voltage current that gets triggered when a chip-based card is inserted. As a result, they do not require external batteries, and can remain in operation indefinitely. --------------------------------------------- https://krebsonsecurity.com/2021/02/checkout-skimmers-powered-by-chip-cards/ ∗∗∗ Clop targets execs, ransomware tactics get another new twist ∗∗∗ --------------------------------------------- Clops targeting of executives workstations is the latest in a string of recent innovations in ransomware. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-… ∗∗∗ UK Banks 2FA Being Bypassed ∗∗∗ --------------------------------------------- Akamai and Cyjax have published reports on a campaign that is bypassing 2FA in order to employ a multi-part phishing kit. Functionality of this kit does not behave as typically expected. This particular phishing kit uses a centralized control panel, a departure from typical phishing operations. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75c736c5e365bdd5636268f9815… ===================== = Vulnerabilities = ===================== ∗∗∗ Browser-Updates: Firefox 86 und 78.8 ESR umfassen wichtige Sicherheitsupdates ∗∗∗ --------------------------------------------- Mozillas frisch erschienene Browser-Versionen bergen neben neuen Funktionen auch Schwachstellen-Fixes. Von mehreren geht ein hohes Sicherheitsrisiko aus. --------------------------------------------- https://heise.de/-5063402 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (connman, firejail, kernel, python-django, roundcubemail, and wpa_supplicant), Fedora (gdk-pixbuf2 and gdk-pixbuf2-xlib), openSUSE (python3 and tomcat), Scientific Linux (xterm), SUSE (postgresql12 and postgresql13), and Ubuntu (gdk-pixbuf, openldap, python-django, and qemu). --------------------------------------------- https://lwn.net/Articles/847150/ *** Synology Security Advisories *** --------------------------------------------- Synology-SA-21:09 WebDAV Server A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of WebDAV Server. https://www.synology.com/en-global/support/security/Synology_SA_21_09 Synology-SA-21:08 Docker A vulnerability allows local users to read or write arbitrary files via a susceptible version of Docker. https://www.synology.com/en-global/support/security/Synology_SA_21_08 Synology-SA-21:07 Synology Directory Server A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Directory Server. https://www.synology.com/en-global/support/security/Synology_SA_21_07 Synology-SA-21:06 CardDAV Server A vulnerability allows remote authenticated users to execute arbitrary SQL commands via a susceptible version of CardDAV Server. https://www.synology.com/en-global/support/security/Synology_SA_21_06 Synology-SA-21:05 Audio Station A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Audio Station. https://www.synology.com/en-global/support/security/Synology_SA_21_05 Synology-SA-21:04 Video Station A vulnerability allows remote authenticated users to access intranet resources via a susceptible version of Video Station. https://www.synology.com/en-global/support/security/Synology_SA_21_04 Synology-SA-21:03 DSM Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM). https://www.synology.com/en-global/support/security/Synology_SA_21_03 --------------------------------------------- https://www.synology.com/en-global/security/advisory ∗∗∗ Security Vulnerabilities fixed in Thunderbird 78.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/ ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple CVEs – Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabili… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2021
by Daily end-of-shift report 22 Feb '21

22 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-02-2021 18:00 − Montag 22-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trojaner-Alarm bei 3D-Drucker-Software von Creality ∗∗∗ --------------------------------------------- Das auf den Download-Seiten Crealitys für den 3D-Drucker Ender 5 angebotene Software-Paket führt auf Windows-PCs zu einer Alarmmeldung. --------------------------------------------- https://heise.de/-5061290 ∗∗∗ Silver Sparrow: Mysteriöse Malware auf über 29.000 Macs entdeckt ∗∗∗ --------------------------------------------- Die für Intel- und ARM-Macs ausgelegte Software hat eine Selbstzerstörungsfunktion und kontaktiert regelmäßig Befehlsserver, tut aber bislang nichts. --------------------------------------------- https://heise.de/-5062066 ∗∗∗ Powerhouse VPN products can be abused for large-scale DDoS attacks ∗∗∗ --------------------------------------------- Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups. --------------------------------------------- https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-lar… ∗∗∗ Recently fixed Windows zero-day actively exploited since mid-2020 ∗∗∗ --------------------------------------------- Microsoft says that a high-severity Windows zero-day vulnerability patched during the February 2021 Patch Tuesday was exploited in the wild since at least the summer of 2020 according to its telemetry data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-… ∗∗∗ Quickie: Extracting HTTP URLs With tshark, (Sat, Feb 20th) ∗∗∗ --------------------------------------------- After I posted diary entry "Quickie: tshark & Malware Analysis", someone asked me how to extract HTTP URLs from capture files with tshark. --------------------------------------------- https://isc.sans.edu/diary/rss/27120 ∗∗∗ DDE and oledump, (Sun, Feb 21st) ∗∗∗ --------------------------------------------- I was asked if the DDE YARA rules I created work with oledump.py on the sample that Xavier wrote about in his diary entry "Dynamic Data Exchange (DDE) is Back in the Wild?". --------------------------------------------- https://isc.sans.edu/diary/rss/27122 ∗∗∗ New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victims Mastercard contactless card while believing it to be a Visa card. The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a [...] --------------------------------------------- https://thehackernews.com/2021/02/new-hack-lets-attackers-bypass.html ∗∗∗ Genetics of a Modern IoT Attack ∗∗∗ --------------------------------------------- When it comes to IoT attacks and malware, there is a perceptible pattern in which all intrusions manifest. It is good practice to study such patterns and draw conclusions so that we may extrapolate to future attacks. --------------------------------------------- https://cujo.com/genetics-of-a-modern-iot-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! SonicWall optimiert Sicherheitsupdates für SMA 100 ∗∗∗ --------------------------------------------- Der Netzwerkausrüster hat neue Patches für sein Fernzugriffsystem SMA 100 veröffentlicht und rät zur zügigen Installation. --------------------------------------------- https://heise.de/-5061513 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libzstd, openldap, openvswitch, screen, and wpa), Fedora (dotnet5.0, subversion, and wpa_supplicant), openSUSE (mumble, python-djangorestframework, and tor), Oracle (container-tools:ol8, kernel, nodejs:10, nodejs:12, nodejs:14, subversion:1.10, and xterm), Red Hat (stunnel and xterm), and SUSE (ImageMagick, java-1_8_0-openjdk, kernel, krb5-appl, python3, tomcat, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/847035/ ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0198 ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js codemirror module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability in Bouncy Castle affects IBM Rational Performance Tester (CVE-2020-26939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-bouncy… ∗∗∗ Security Bulletin: A security vulnerability in Node.js ini module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability have been identified in FasterXML Jackson Databind shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: App Connect Professional & IBM WebSphere Cast Iron Solution are affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in PostgreSQL affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js y18n module affects IBM Cloud Pak for Multicloud Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Multiple vulnerability issues affect IBM Spectrum Symphony 7.3.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-is… ∗∗∗ Security Bulletin: Multiple vulnerability issues affect IBM Spectrum Conductor 2.5.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-is… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2021
by Daily end-of-shift report 19 Feb '21

19 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-02-2021 18:00 − Freitag 19-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ RIPE NCC Internet Registry discloses SSO credential stuffing attack ∗∗∗ --------------------------------------------- RIPE NCC is warning members that they suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ripe-ncc-internet-registry-d… ∗∗∗ Microsoft: Solarwinds-Angriffe gingen nach Auffliegen weiter ∗∗∗ --------------------------------------------- Microsoft bestätigt Angriffe der Solarwinds-Hacker bis in den Januar. Die Angreifer konnten zudem Quellcode herunterladen. --------------------------------------------- https://www.golem.de/news/microsoft-solarwinds-angriffe-gingen-nach-aufflie… ∗∗∗ Router Security ∗∗∗ --------------------------------------------- This report is six months old, and I don’t know anything about the organization that produced it, but it has some alarming data about router security.Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. --------------------------------------------- https://www.schneier.com/blog/archives/2021/02/router-security.html ∗∗∗ myMail Manages Your Mailbox… in a Strange Way! ∗∗∗ --------------------------------------------- myMail is a popular (10M+ downloads!) alternative email client for mobile devices. Available for iOS and Android, it is a powerful email client compatible with most of the mail providers (POP3/IMAP, Gmail, Yahoo!, Outlook, and even ActiveSync). --------------------------------------------- https://blog.rootshell.be/2021/02/19/mymail-manages-your-mailbox-in-a-stran… ∗∗∗ Dynamic Data Exchange (DDE) is Back in the Wild?, (Fri, Feb 19th) ∗∗∗ --------------------------------------------- DDE or "Dynamic Data Exchange" is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects. --------------------------------------------- https://isc.sans.edu/diary/rss/27116 ∗∗∗ Kriminelle versuchen an Ihre Microsoft-Zugangsdaten zu kommen ∗∗∗ --------------------------------------------- Gerade durch das vermehrte Arbeiten im Home-Office werden Absprachen und Planungen immer stärker in die digitale Welt verlagert. Der „Microsoft Planner“ ist ein oft genutztes Werkzeug, um den Überblick zu behalten – das wissen auch BetrügerInnen. Denn im Namen des „Microsoft Planner“ verschicken Kriminelle derzeit E-Mails in der Hoffnung, dass die EmpfängerInnen Ihre Microsoft-Zugangsdaten preisgeben. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versuchen-an-ihre-microso… ∗∗∗ IronNetInjector: Turla’s New Malware Loading Tool ∗∗∗ --------------------------------------------- IronPython has been used for malicious purposes before, but in its new malware loading tool IronNetInjector, threat group Turla uses it in a new way. --------------------------------------------- https://unit42.paloaltonetworks.com/ironnetinjector/ ∗∗∗ SectopRAT Adds Encrypted Communication ∗∗∗ --------------------------------------------- SectopRAT first appeared in 2019, but a recent version discovered by G DATA shows it has evolved since original analysis. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/1c75b182cb0446128ac95b0e49c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory: Privilege Management for Unix & Linux (PMUL) Basic and Privilege Management for Mac (PMM) Affected by Sudo Vulnerability ∗∗∗ --------------------------------------------- On January 26, 2021, the Qualys research team disclosed a heap overflow vulnerability (CVE-2021-3156) within sudo that allows any unprivileged user to gain root privileges on Linux without requiring a password. BeyondTrust PBsudo/Privilege Management for Unix & Linux Basic is affected by this CVE. Apple also acknowledged and released updates to macOS for this CVE on Feb 10, 2021. Based on macOS releases, we confirmed that Privilege Management for Mac (PMM) is also impacted by this --------------------------------------------- https://www.beyondtrust.com/blog/entry/security-advisory-privilege-manageme… ∗∗∗ VU#240785: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- OverviewAtlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.DescriptionThe Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.ImpactBy placing a specially-crafted DLL --------------------------------------------- https://kb.cert.org/vuls/id/240785 ∗∗∗ Ceritude Securiy Advisory - CSA-2021-001: CSRF in Apache MyFaces (CVE-2021-26296) ∗∗∗ --------------------------------------------- Apache MyFaces is an open-source implementation of JSF. During a quick evaluation, Certitude found that the default CSRF protection of Apache MyFaces was insufficient as the CSRF tokens the framework generates can be guessed by an attacker. --------------------------------------------- https://certitude.consulting/advisories/CSA_2021_001_Cross_Site_Request_For… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro). --------------------------------------------- https://lwn.net/Articles/846787/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2021-20354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ OpenSSL vulnerability CVE-2021-23840 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24624116 ∗∗∗ OpenSSL vulnerability CVE-2021-23839 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61903372 ∗∗∗ OpenSSL vulnerability CVE-2021-23841 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52833764 ∗∗∗ cURL vulnerability CVE-2020-8284 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63525058 ∗∗∗ cURL vulnerability CVE-2020-8285 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61186963 ∗∗∗ cURL vulnerability CVE-2020-8286 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15402727 ∗∗∗ Johnson Controls Metasys Reporting Engine (MRE) Web Services ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-01 ∗∗∗ Mitsubishi Electric FA engineering software products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2021
by Daily end-of-shift report 18 Feb '21

18 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-02-2021 18:00 − Donnerstag 18-02-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ How to Not Give a Scam ∗∗∗ --------------------------------------------- Learn about tactics attackers use for extortion emails and how to build a picture around raw data as the DomainTools team leads an investigation into a sextortion scam. --------------------------------------------- https://www.domaintools.com/resources/blog/how-to-not-give-a-scam ∗∗∗ Mac Malware Targets Apple’s In-House M1 Processor ∗∗∗ --------------------------------------------- A malicious adware-distributing application specifically targets Apples new M1 SoC, used in its newest-generation MacBook Air, MacBook Pro and Mac mini devices. --------------------------------------------- https://threatpost.com/macos-malware-apple-m1-processor/164075/ ∗∗∗ Covid‑19‑Impfstoffe: Gefahr durch Betrugsmails und Falschmeldungen ∗∗∗ --------------------------------------------- Die weltweit anlaufenden Impfkampagnen sind der langersehnte Lichtblick beim Kampf gegen die Pandemie. Gleichzeitig haben auch Betrüger und Verbreiter von Falschmeldungen das Thema Impfstoffe für sich entdeckt. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/02/17/covid-19-impfstoffe-gefah… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2020-8625: A vulnerability in BINDs GSSAPI security policy negotiation can be targeted by a buffer overflow attack ∗∗∗ --------------------------------------------- This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features. Solution: Upgrade to the patched release most closely related to your current version of BIND --------------------------------------------- https://kb.isc.org/docs/cve-2020-8625 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mumble, openssl, php7.3, and webkit2gtk), openSUSE (jasper, php7, and screen), SUSE (bind, php7, and php72), and Ubuntu (bind9, openssl, openssl1.0, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/846623/ ∗∗∗ Security Bulletin: A security vulnerability in Node.js y18n module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4933) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Vulnerability has been identified in SnakeYAML used by IBM Dependency Based Build ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-has-been-id… ∗∗∗ Security Bulletin: IBM Maximo Data Loader (maxloader) shipped with IBM Maximo for Civil Infrastructure is vulnerable to cross-site scripting and missing or insecure "X-XSS-Protection" header ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-data-loader-ma… ∗∗∗ Security Bulletin: A security vulnerability in Node.js ini module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Maximo Data Loader (maxloader) shipped with IBM Maximo for Civil Infrastructure is vulnerable to autocomplete HTML Attribute not disabled for password field ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-data-loader-ma… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js codemirror module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple BIND vulnerabilities (CVE-2020-8622, CVE-2020-8623, CVE-2020-8624) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ February 16, 2021 TNS-2021-02 [R1] Nessus Network Monitor 5.13.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-02 ∗∗∗ XSA-366 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-366.html ∗∗∗ Jira Server for Slack Security Advisory 17th February 2021 ∗∗∗ --------------------------------------------- https://confluence.atlassian.com/jira/jira-server-for-slack-security-adviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2021
by Daily end-of-shift report 17 Feb '21

17 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-02-2021 18:00 − Mittwoch 17-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Masslogger Swipes Microsoft Outlook, Google Chrome Credentials ∗∗∗ --------------------------------------------- A new version of the Masslogger trojan has been targeting Windows users - now using a compiled HTML (CHM) file format to start the infection chain. --------------------------------------------- https://threatpost.com/masslogger-microsoft-outlook-google-chrome/164011/ ∗∗∗ The new "LinkedInSecureMessage" ?, (Wed, Feb 17th) ∗∗∗ --------------------------------------------- With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noticed a new variant on a typical cred-stealer, in this case offering itself up as a new, secure messaging format used over the career website LinkedIn. --------------------------------------------- https://isc.sans.edu/diary/rss/27110 ∗∗∗ Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping ∗∗∗ --------------------------------------------- A severe security vulnerability in a popular video calling software development kit (SDK) could have allowed an attacker to spy on ongoing private video and audio calls. Thats according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.ios SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First's Backline; and in the Android app that's paired with "temi" personal robot. --------------------------------------------- https://thehackernews.com/2021/02/agora-sdk-bug-left-several-video.html ∗∗∗ North Korean Malicious Cyber Activity: AppleJeus ∗∗∗ --------------------------------------------- Original release date: February 17, 2021CISA, the Federal Bureau of Investigation, and the Department of the Treasury have released a Joint Cybersecurity Advisory and seven Malware Analysis Reports (MARs) on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/17/north-korean-mali… ∗∗∗ Remotely Exploitable 0day in Internet Explorer Gets a Free Micropatch ∗∗∗ --------------------------------------------- On February 4, 2021, security researchers at ENKI, a South Korean security consultancy, published a blog post detailing an unpatched vulnerability in Internet Explorer. This "0day" vulnerability was used in an attack campaign against various security researchers, including ENKI researchers, who noticed the attack and took the exploit apart to extract the vulnerability information. ENKI researchers kindly shared their proof of concept with us, so we could quickly start analyzing the vulnerability and create a micropatch for it. --------------------------------------------- https://blog.0patch.com/2021/02/remotely-exploitable-0day-in-internet.html ∗∗∗ Vorsicht bei zu günstigen Angeboten im Facebook-Marketplace! ∗∗∗ --------------------------------------------- Der Marketplace von Facebook ermöglicht nicht nur privaten VerkäuferInnen, neue und gebrauchte Produkte anzubieten, sondern auch kommerziellen HändlerInnen. Interessierte KäuferInnen sollten die Anzeigen und die dahinterstehenden Facebook-Profile jedoch genau überprüfen. Denn wie auch bei anderen Kleinanzeigenplattformen kommt es auf Facebook immer wieder zu Betrug. Wir zeigen Ihnen wie Sie betrügerische Angebote entlarven können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-angeboten… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP patches critical vulnerability in Surveillance Station NAS app ∗∗∗ --------------------------------------------- QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-patches-critical-vulner… ∗∗∗ OpenSSL Security Advisory [16 February 2021] ∗∗∗ --------------------------------------------- Severity Moderate: Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) Severity Low: Incorrect SSLv2 rollback protection (CVE-2021-23839) Severity Low: Integer overflow in CipherUpdate (CVE-2021-23840) --------------------------------------------- https://www.openssl.org/news/secadv/20210216.txt ∗∗∗ One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms ∗∗∗ --------------------------------------------- On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. --------------------------------------------- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-seve… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and ruby-mechanize), Fedora (chromium, jasper, roundcubemail, spice-vdagent, and webkit2gtk3), openSUSE (python-bottle), Oracle (dotnet, kernel, and kernel-container), Red Hat (redhat-ds:11, RHDM, and RHPAM), SUSE (jasper, kernel, and screen), and Ubuntu (thunderbird and wpa). --------------------------------------------- https://lwn.net/Articles/846476/ ∗∗∗ Cisco StarOS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for AIX and Linux – July 2020. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: OpenSSL vulnerability affects IBM Engineering Workflow Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Hamilton-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-047-01 ∗∗∗ Open Design Alliance Drawings SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-047-01 ∗∗∗ Rockwell Automation Allen-Bradley Micrologix 1100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-047-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily