Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - 16.02.2021
by Daily end-of-shift report 16 Feb '21

16 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-02-2021 18:00 − Dienstag 16-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberattack on Dutch Research Council (NWO) suspends research grants ∗∗∗ --------------------------------------------- Servers belonging to the Dutch Research Council (NWO) have been compromised, forcing the organization to make its network unavailable and suspend subsidy allocation for the foreseeable future. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberattack-on-dutch-researc… ∗∗∗ Microsoft pulls Windows KB4601392 for blocking security updates ∗∗∗ --------------------------------------------- Microsoft has pulled a problematic Windows servicing stack update (SSU) after blocking Windows 10 and Windows Server customers from installing the security updates released during this month Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-windows-kb4… ∗∗∗ Sandworm: Frankreich meldet jahrelangen staatlichen Hack auf Server ∗∗∗ --------------------------------------------- Ähnlich wie bei dem Solarwinds-Hack soll es jahrelang Angriffe auf die freie Monitoring-Software Centreon gegeben haben. --------------------------------------------- https://www.golem.de/news/sandworm-frankreich-meldet-jahrelangen-staatliche… ∗∗∗ More weirdness on TCP port 26, (Tue, Feb 16th) ∗∗∗ --------------------------------------------- A little over a year ago, I wrote a diary asking what was going on with traffic on TCP port 26. So, last week when I noticed another spike on port 26, I decided to take another look. --------------------------------------------- https://isc.sans.edu/diary/rss/27106 ∗∗∗ Corona Hilfe für Unternehmen: Gefälschtes E-Mail im Namen des Bundesministeriums für Soziales im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche UnternehmerInnen finden aktuell ein E-Mail mit dem Betreff "Überbrückungshilfe III - Informationen und Unterstützung für Unternehmen", angeblich vom Bundesministerium für Soziales, in ihrem Posteingang. Vorsicht: Dieses E-Mail stammt von Kriminellen und beinhaltet Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/corona-hilfe-fuer-unternehmen-gefael… ===================== = Vulnerabilities = ===================== ∗∗∗ Malvertisers exploited browser zero-day to redirect users to scams ∗∗∗ --------------------------------------------- The ScamClub malvertising group used a zero-day vulnerability in the WebKit web browser engine to push payloads that redirected to gift card scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malvertisers-exploited-brows… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Mageia (chromium-browser, kernel, kernel-linus, and trojita), openSUSE (mumble and opera), Red Hat (container-tools:rhel8, java-1.8.0-ibm, kernel, kernel-rt, net-snmp, nodejs:10, nodejs:12, nodejs:14, nss, perl, python, and rh-nodejs10-nodejs), and SUSE (jasper, python-bottle, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/846395/ ∗∗∗ Security bugs left unpatched in Android app with one billion downloads ∗∗∗ --------------------------------------------- The vulnerabilities impact SHAREit, an app used for sharing files between users and their devices. --------------------------------------------- https://www.zdnet.com/article/security-bugs-left-unpatched-in-android-app-w… ∗∗∗ Calsos CSDJ fails to restrict access permissions ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN87164507/ ∗∗∗ FileZen vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN58774946/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-4954, CVE-2020-4955, CVE-2020-4956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server January 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ XSA-365 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-365.html ∗∗∗ XSA-364 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-364.html ∗∗∗ XSA-363 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-363.html ∗∗∗ XSA-362 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-362.html ∗∗∗ XSA-361 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-361.html ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2021
by Daily end-of-shift report 15 Feb '21

15 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-02-2021 18:00 − Montag 15-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Copycats imitate novel supply chain attack that hit tech giants ∗∗∗ --------------------------------------------- This week, hundreds of new packages have been published to the npm open-source repository named after private components being internally used by major companies. These npm packages are identical to the proof-of-concept packages created by Alex Birsan, the researcher who had recently managed to infiltrate over major 35 tech firms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/copycats-imitate-novel-suppl… ∗∗∗ Sunbird und Hornbill: Neue Android-Spyware der Confucius-APT ∗∗∗ --------------------------------------------- Sicherheitsforscher entdecken zwei Schadprogramme, die sie einer pro-indischen APT-Gruppe zuordnen. Beide sollen auf kommerzieller Spyware basieren. --------------------------------------------- https://www.golem.de/news/sunbird-und-hornbill-neue-android-spyware-der-con… ∗∗∗ Using Logstash to Parse IPtables Firewall Logs, (Sat, Feb 13th) ∗∗∗ --------------------------------------------- One of our reader submitted some DSL Modem Firewall logs (iptables format) and I wrote a simple logstash parser to analyze and illustrate the activity, in this case it is all scanning activity against this modem. An iptables parser exist for Filebeat, but for this example, I wanted to show how to create a simple logstash parser using Grok to parse these logs and send them to Elastic. --------------------------------------------- https://isc.sans.edu/diary/rss/27096 ===================== = Vulnerabilities = ===================== ∗∗∗ VMware vSphere Replication: Updates beseitigen remote ausnutzbare Schwachstelle ∗∗∗ --------------------------------------------- Für mehrere Versionen der vCenter Server-Erweiterung vSphere Replication stehen Sicherheitsupdates bereit, die eine "High"-Schwachstelle schließen. --------------------------------------------- https://heise.de/-5055247 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox, linux-4.19, openvswitch, subversion, unbound1.9, and xterm), Fedora (audacity, community-mysql, kernel, libzypp, mysql-connector-odbc, python-django, python3.10, and zypper), openSUSE (librepo, openvswitch, subversion, and wpa_supplicant), Red Hat (subversion:1.10), SUSE (kernel, openvswitch, perl-File-Path, and wpa_supplicant), and Ubuntu (postgresql-12). --------------------------------------------- https://lwn.net/Articles/846318/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0001 ∗∗∗ --------------------------------------------- * Versions affected: WebKitGTK before 2.30.5 and WPE WebKit before 2.30.5. * Impact: Processing maliciously crafted web content may lead to arbitrary code execution. * Description: An use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0001.html ∗∗∗ Security Bulletin: Insecure HTTP Communication ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insecure-http-communicati… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-4954, CVE-2020-4955, CVE-2020-4956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Controller is vulnerable to privilege escalation (CVE-2020-4685) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-is-… ∗∗∗ Security Bulletin: Vulnerabilities in bind CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-bind-c… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2020-1971). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2021
by Daily end-of-shift report 12 Feb '21

12 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-02-2021 18:00 − Freitag 12-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Buggy WordPress plugin exposes 100K sites to takeover attacks ∗∗∗ --------------------------------------------- Critical and high severity vulnerabilities in the Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks as discovered by Wordfence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/buggy-wordpress-plugin-expos… ∗∗∗ Internet Explorer 11 zero-day vulnerability gets unofficial micropatch ∗∗∗ --------------------------------------------- An Internet Explorer 11 zero-day vulnerability used against security researchers, not yet fixed by Microsoft, today received a micropatch that prevents exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/internet-explorer-11-zero-da… ∗∗∗ Web shell attacks continue to rise ∗∗∗ --------------------------------------------- A year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated. --------------------------------------------- https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-contin… ∗∗∗ AgentTesla Dropped Through Automatic Click in Microsoft Help File, (Fri, Feb 12th) ∗∗∗ --------------------------------------------- Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files), others look really safe and make the victim confident to open it. I spotted a phishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file: a Microsoft compiled HTML Help file. --------------------------------------------- https://isc.sans.edu/diary/rss/27092 ∗∗∗ Vorsicht Finanzbetrug: Zahlen Sie keine 250 Euro auf horizoninvest.cc ein! ∗∗∗ --------------------------------------------- Die österreichische Finanzmarktaufsicht (FMA) warnt derzeit mit einer aktuellen Kampagne vor Anlage- und Finanzbetrug. Auch bei der Watchlist Internet werden zunehmend betrügerische Plattformen gemeldet, die leicht verdientes Geld durch Investments, versprechen. Aktuell melden LeserInnen vermehrt horizoninvest.cc. Zahlen Sie dort auf keinen Fall Geld ein! Dieses landet nämlich direkt in den Händen der Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-finanzbetrug-zahlen-sie-kei… ∗∗∗ Free decrypter released for Avaddon ransomware victims... aaand, its gone! ∗∗∗ --------------------------------------------- The Avaddon ransomware gang said in a forum post they already updated their code to counter the tools release. --------------------------------------------- https://www.zdnet.com/article/free-decrypter-released-for-avaddon-ransomwar… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Angreifer könnten BIG-IP Appliances von F5 übernehmen ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von F5 sind attackierbar. Angreifer könnten Geräte lahmlegen oder sogar eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5053268 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE --------------------------------------------- https://lwn.net/Articles/845999/ ∗∗∗ Security Bulletin: Multiple security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not sufficiently safeguard session IDs from session fixation attacks (CVE-2021-20411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: CVE-2020-2773 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-may-affect-… ∗∗∗ Security Bulletin: a security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not sufficiently protect the key that encrypts and decrypts product credentials (CVE-2021-20408) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue discloses sensitive information in source code (CVE-2021-20407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a relatively weak cryptographic algorithm to protect application data (CVE-2021-20406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Multiple Embedded TCP/IP stacks ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-042-01 ∗∗∗ Rockwell Automation DriveTools SP and Drives AOP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-042-02 ∗∗∗ Wibu-Systems CodeMeter (Update E) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2021
by Daily end-of-shift report 11 Feb '21

11 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-02-2021 18:00 − Donnerstag 11-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ TrickBots BazarBackdoor malware is now coded in Nim to evade antivirus ∗∗∗ --------------------------------------------- TrickBots stealthy BazarBackdoor malware has been rewritten in the Nim programming language, likely to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malw… ∗∗∗ Hybrid, Older Users Most-Targeted by Gmail Attackers ∗∗∗ --------------------------------------------- Researchers at Google and Stanford analyzed a 1.2 billion malicious emails to find out what makes users likely to get attacked. 2FA wasnt a big factor. --------------------------------------------- https://threatpost.com/hybrid-older-users-gmail-attackers/163826/ ∗∗∗ Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th) ∗∗∗ --------------------------------------------- While going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of February, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would not be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27088 ∗∗∗ Microsoft Launches Phase 2 Mitigation for Netlogon Remote Code Execution Vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launche… ∗∗∗ Zeoticus 2.0: Ransomware With No C2 Required ∗∗∗ --------------------------------------------- Zeoticus ransomware first appeared for sale in various underground forums and markets in early 2020. The ransomware is currently Windows-specific and, according to the developers, functions on all “supported versions of Windows”. --------------------------------------------- https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/ ∗∗∗ FBI warnt vor Windows 7 und TeamViewer ∗∗∗ --------------------------------------------- Die US-Bundespolizei FBI hat anlässlich des Giftangriffes auf ein Wasserwerk in Florida eine offizielle Warnung vor dem Einsatz von Windows 7 und TeamViewer ausgesprochen. --------------------------------------------- https://www.zdnet.de/88393353/fbi-warnt-vor-windows-7-und-teamviewer/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Commerce Critical Security Bug Allows RCE ∗∗∗ --------------------------------------------- The critical SAP cybersecurity flaw could allow for the compromise of an application used by e-commerce businesses. --------------------------------------------- https://threatpost.com/sap-commerce-critical-security-bug/163822/ ∗∗∗ DoS- und Schadcode-Attacken gegen McAfee Total Protection möglich ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für McAfee Total Protection unter Windows. --------------------------------------------- https://heise.de/-5052175 ∗∗∗ WIndows Print Spooler Keeps Delivering Vulnerabilities, And We Keep Patching Them (CVE-2020-1030) ∗∗∗ --------------------------------------------- by Mitja Kolsek, the 0patch Team Security researcher Victor Mata of Accenture published a detailed analysis of a binary planting vulnerability in Windows Print Spooler (CVE-2020-1030), which they had previously reported to Microsoft in May 2020, and a fix for which was included in September 2020 Windows Updates. --------------------------------------------- https://blog.0patch.com/2021/02/print-spooler-keeps-delivering.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firejail and netty), Fedora (java-1.8.0-openjdk, java-11-openjdk, rubygem-mechanize, and xpdf), Mageia (gstreamer1.0-plugins-bad, nethack, and perl-Email-MIME and perl-Email-MIME-ContentType), openSUSE (firejail, java-11-openjdk, python, and rclone), Red Hat (dotnet, dotnet3.1, dotnet5.0, and rh-nodejs12-nodejs), SUSE (firefox, kernel, python, python36, and subversion), and Ubuntu (gnome-autoar, junit4, openvswitch, postsrsd, and sqlite3). --------------------------------------------- https://lwn.net/Articles/845750/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i – July 2020. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not properly encode error messages sent to web users (CVE-2021-20405) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with a cross-site scripting vulnerability (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with known vulnerabilities (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (CVE-2020-4847) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ VMSA-2021-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0001.html ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0147 ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0169 ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0163 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2021
by Daily end-of-shift report 10 Feb '21

10 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-02-2021 18:00 − Mittwoch 10-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rinfo Is Making A Comeback and Is Scanning and Mining in Full Speed ∗∗∗ --------------------------------------------- In 2018 we blogged about a scanning&mining botnet family that uses ngrok.io to propagate samples: "A New Mining Botnet Blends Its C2s into ngrok Service", and since mid-October 2020, our BotMon system started to see a new variant of this family [...] --------------------------------------------- https://blog.netlab.360.com/rinfo-is-making-a-comeback-and-is-scanning-and-… ∗∗∗ Kaufen Sie keine Paysafecard um Zollgebühren zu bezahlen! ∗∗∗ --------------------------------------------- Eine neue Massenmail landet derzeit im Posteingang zahlreicher InternetnutzerInnen. Die Nachricht wird angeblich vom Kundenservice des deutschen oder schweizerischen Zolls gesendet. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-paysafecard-um-zoll… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes SUDO root privilege escalation flaw in macOS ∗∗∗ --------------------------------------------- Apple has fixed a sudo vulnerability in macOS Big Sur, Catalina, and Mojave, allowing any local user to gain root-level privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-sudo-root-privilege… ∗∗∗ Confusion Attack: Microsoft warnt vor einfacher Übernahme interner Pakete ∗∗∗ --------------------------------------------- Haben internes und externes Paket den gleichen Namen, lassen sich Trojaner einschleusen. --------------------------------------------- https://www.golem.de/news/confusion-attack-microsoft-warnt-vor-einfacher-ue… ∗∗∗ Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th) ∗∗∗ --------------------------------------------- This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed. --------------------------------------------- https://isc.sans.edu/diary/rss/27080 ∗∗∗ Patchday: Adobe kümmert sich um kritische Lücken in Acrobat, Photoshop & Co. ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Windows-Nutzer mit Adobe Reader abgesehen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-5050997 ∗∗∗ Patchday: Intel stellt aktualisierte Treiber, Firm- und Software bereit ∗∗∗ --------------------------------------------- Von Intel diesmal meist als Downloads für Endnutzer verfügbare Updates beseitigen Schwachstellen mit teils hoher Gefahreneinstufung aus diversen Produkten. --------------------------------------------- https://heise.de/-5051084 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman, firejail, libzstd, slirp, and xcftools), Fedora (chromium, jackson-databind, and privoxy), openSUSE (chromium), Oracle (kernel and kernel-container), Slackware (dnsmasq), SUSE (java-11-openjdk, kernel, and python), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oem-5.6, linux-oracle, linux-raspi, linux, linux-gke-5.0, linux-gke-5.3, linux-hwe, linux-raspi2-5.3, openjdk-8, openjdk-lts, and snapd). --------------------------------------------- https://lwn.net/Articles/845602/ ∗∗∗ This old security vulnerability left millions of Internet of Things devices vulnerable to attacks ∗∗∗ --------------------------------------------- Historys repeating, warn security researchers, who find that a computer security issue thats been known about for decades could be used to manipulate IoT devices - so apply the patches now. --------------------------------------------- https://www.zdnet.com/article/this-old-security-vulnerability-left-millions… ∗∗∗ GE Digital HMI/SCADA iFIX ∗∗∗ --------------------------------------------- This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource vulnerabilities in the GE Digital HMI/SCADA iFIX software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-01 ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for SQL Injection, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in the Advantech iView device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an error within Eclipse Jetty (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4791) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js and FasterXML jackson-databind affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4795) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a security vulnerability (CVE-2016-2183) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Arbitrary File Read (CVE-2020-4789) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an "Apache CXF" jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2021
by Daily end-of-shift report 09 Feb '21

09 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-02-2021 18:00 − Dienstag 09-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Devices Hunted by LodaRAT Windows Malware ∗∗∗ --------------------------------------------- The LodaRAT - known for targeting Windows devices - has been discovered also targeting Android devices in a new espionage campaign. --------------------------------------------- https://threatpost.com/android-devices-lodarat-windows/163769/ ∗∗∗ Florida: Hacker wollte Trinkwasser aus der Ferne vergiften ∗∗∗ --------------------------------------------- Kriminelle haben ein Trinkwasserwerk in Florida gehackt und die Natriumhydroxid-Zufuhr vervielfacht. Ein Mitarbeiter beobachtete die Tat und stoppte sie. --------------------------------------------- https://heise.de/-5049266 ∗∗∗ Arrest, Raids Tied to ‘U-Admin’ Phishing Kit ∗∗∗ --------------------------------------------- Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” --------------------------------------------- https://krebsonsecurity.com/2021/02/arrest-raids-tied-to-u-admin-phishing-k… ∗∗∗ BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech ∗∗∗ --------------------------------------------- The novel Chinese shellcode "BendyBear" is one of the most sophisticated, well-engineered and difficult-to-detect samples employed by an APT. --------------------------------------------- https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/ ∗∗∗ PyPI, GitLab dealing with spam attacks ∗∗∗ --------------------------------------------- Both sites have been flooded over the weekend with garbage content. --------------------------------------------- https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Kritische Lücke in WordPress-Plug-in NextGen Gallery ∗∗∗ --------------------------------------------- Ein Schlupfloch in NextGen Gallery könnte Schadcode auf 800.000 WordPress-Websites lassen. --------------------------------------------- https://heise.de/-5049401 ∗∗∗ Linux kernel CVE-2020-10769 ∗∗∗ --------------------------------------------- A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module. --------------------------------------------- https://support.f5.com/csp/article/K62532228 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/845504/ ∗∗∗ ZDI-21-153: Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-153/ ∗∗∗ SSA-379803: Vulnerabilities in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-379803.txt ∗∗∗ SSA-428051: Privilege Escalation Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-428051.txt ∗∗∗ SSA-686152: Denial-of-Service Vulnerability in ARP Protocol of SCALANCE W780 and W740 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-686152.txt ∗∗∗ SSA-663999: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-663999.txt ∗∗∗ SSA-536315: Privilege escalation vulnerability in DIGSI 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-536315.txt ∗∗∗ SSA-944678: Potential Password Protection Bypass in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-944678.txt ∗∗∗ SSA-794542: Insecure Folder Permissions in SIMARIS configuration ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-794542.txt ∗∗∗ SSA-362164: Predictable Initial Sequence Numbers in Mentor Nucleus TCP stack ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-362164.txt ∗∗∗ SSA-156833: Zip-Slip Directory Traversal Vulnerability in SINEMA Server and SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-156833.txt ∗∗∗ SAP Patchday Februar 2021: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0139 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2021
by Daily end-of-shift report 08 Feb '21

08 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-02-2021 18:00 − Montag 08-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ IT-Security: Google bietet Datenbank zu Lücken in Open-Source-Software ∗∗∗ --------------------------------------------- Ob eigene Software oder Abhängigkeiten von Sicherheitslücken betroffen ist, ist teils nicht leicht herauszufinden. Google will hier helfen. --------------------------------------------- https://www.golem.de/news/it-security-google-bietet-datenbank-zu-luecken-in… ∗∗∗ FOSDEM: Hacker auf dem eigenen Honeypot-Server beobachten ∗∗∗ --------------------------------------------- Auf der FOSDEM haben zwei Entwickler eine raffinierte Methode vorgestellt, einen eigenen SSH-Honeypot zu bauen und den Hackern über die Schulter zu schauen. --------------------------------------------- https://heise.de/-5048084 ∗∗∗ Die Macher der Ransomware Ziggy bereuen ihre Taten und geben auf ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner Ziggy eingefangen hat, kann seine Daten nun mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-5048379 ∗∗∗ Barcode Scanner app on Google Play infects 10 million users with one update ∗∗∗ --------------------------------------------- In a single update, a popular barcode scanner app that had been on Google Play for years turned into malware. ... Google quickly removed the app from its store. ... Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. --------------------------------------------- https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google… ∗∗∗ Reverse Engineering Keys from Firmware.A how-to ∗∗∗ --------------------------------------------- It is possible to reverse engineer keys from firmware with some tips: * Always looks for strings/constants. * Make guesses about the original source. * Find a function you can recognise and work backwards to identify other functions. * It helps if they use open-source code so you can crib from it. --------------------------------------------- https://www.pentestpartners.com/security-blog/reverse-engineering-keys-from… ∗∗∗ Erpressung per E-Mail: Kriminelle behaupten, Sie beim Masturbieren gefilmt zu haben ∗∗∗ --------------------------------------------- Aktuell werden wieder massenhaft betrügerische Erpressungsmails versendet. Kriminelle behaupten, sie hätten Ihren Computer gehackt und Sie beim Surfen auf Porno-Webseiten erwischt. Angeblich wurden Sie dabei beim Masturbieren gefilmt. Der unbekannte Absender droht nun damit, dieses Video an all Ihre Kontakte zu senden. Ignorieren Sie dieses E-Mail und antworten Sie auch nicht! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-beh… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox und Tor Browser: Update schließt kritische Lücke und blockiert NTFS-Bug ∗∗∗ --------------------------------------------- Versionsupdates für Firefox, Firefox ESR und Tor Browser beseitigen eine Windows-spezifische Sicherheitslücke und bringen zudem einige Bugfixes mit. --------------------------------------------- https://heise.de/-5048403 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu). --------------------------------------------- https://lwn.net/Articles/845426/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0135 ∗∗∗ BlackBerry Powered by Android Security Bulletin - February 2021 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: The Ubuntu ca-certificates have been updated in Watson Machine Learning Community Edition containers due to expiration. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ubuntu-ca-certificate… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2021
by Daily end-of-shift report 05 Feb '21

05 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-02-2021 18:00 − Freitag 05-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Hackers steal StormShield firewall source code in data breach ∗∗∗ --------------------------------------------- Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the companys support ticket system and steal source code for Stormshield Network Security firewall software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-fi… ∗∗∗ Free coffee! Belgian researcher hacks prepaid vending machines ∗∗∗ --------------------------------------------- Only try this at home, folks! As easy as it might look, its illegal in the wild, with good reason. --------------------------------------------- https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-ha… ∗∗∗ Stack Canaries – Gingerly Sidestepping the Cage ∗∗∗ --------------------------------------------- Tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. --------------------------------------------- https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage ∗∗∗ [SANS ISC] VBA Macro Trying to Alter the Application Menus ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive techniqueThe post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2021/02/05/sans-isc-vba-macro-trying-to-alter-the… ∗∗∗ Abusing Google Chrome extension syncing for data exfiltration and C&C ∗∗∗ --------------------------------------------- I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. --------------------------------------------- https://isc.sans.edu/diary/rss/27066 ∗∗∗ besondereprasente.com: Fordern Sie Ihr Geld zurück! ∗∗∗ --------------------------------------------- Obwohl die Webseite besondereprasente.com gar nicht mehr existiert, erhält die Watchlist Internet nach wie vor zahlreiche Meldungen zu diesem Fake-Shop. Der Grund: Wer bei besondereprasente.com bestellt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/besondereprasentecom-fordern-sie-ihr… ∗∗∗ Plex Media servers are being abused for DDoS attacks ∗∗∗ --------------------------------------------- Cyber-security firm Netscout warns of new DDoS attack vector. --------------------------------------------- https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-… ∗∗∗ Kasperksy warnt vor Krypto-Scam ∗∗∗ --------------------------------------------- Kapersky hat ein neues Scam-System entdeckt, das es mit verlockenden Angeboten von angeblichen neuen Kryptobörsen auf Anwender von Discord abgesehen hat. --------------------------------------------- https://www.zdnet.de/88393274/kasperksy-warnt-vor-krypto-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day im Chrome-Browser: Jetzt Update einspielen ∗∗∗ --------------------------------------------- Eine aktiv ausgenutzte Schwachstelle im Chrome-Browser gefährdet die meisten Betriebssysteme. Google hat ein Update. --------------------------------------------- https://heise.de/-5046783 ∗∗∗ Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style ∗∗∗ --------------------------------------------- On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sit… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna). --------------------------------------------- https://lwn.net/Articles/845191/ ∗∗∗ WordPress Plugin "Name Directory" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50470170/ ∗∗∗ Security Bulletin: Watson Machine Learning Community Edition docker containers have been updated to fix a security issue in libcurl ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-c… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning 1.6.2 and 1.7.0 has been patched for various security issues in nanopb. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: IBM API Connect is impacted by insecure web server configuration (CVE-2020-4825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: PowerHA System Mirror for AIX vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powerha-system-mirror-for… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2021
by Daily end-of-shift report 04 Feb '21

04 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-02-2021 18:00 − Donnerstag 04-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices ∗∗∗ --------------------------------------------- 28 malicious extensions disguised traffic as Google Analytics data. --------------------------------------------- https://arstechnica.com/?p=1739523 ∗∗∗ New Fonix ransomware decryptor can recover victims files for free ∗∗∗ --------------------------------------------- Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fonix-ransomware-decrypt… ∗∗∗ How to Audit Password Changes in Active Directory ∗∗∗ --------------------------------------------- Todays admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. --------------------------------------------- https://thehackernews.com/2021/02/how-to-audit-password-changes-in-active.h… ∗∗∗ Project Zero: Déjà vu-lnerability ∗∗∗ --------------------------------------------- A Year in Review of 0-days Exploited In-The-Wild in 2020 --------------------------------------------- https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html ∗∗∗ E-Tretroller sind leicht zu überwachen und zu manipulieren ∗∗∗ --------------------------------------------- Die Apps der Verleiher sind sehr auskunftsfreudig. Mit den übertragenen Daten lässt sich ein E-Tretroller sogar während der Fahrt abschalten. --------------------------------------------- https://heise.de/-5045945 ∗∗∗ Browser sync—what are the risks of turning it on? ∗∗∗ --------------------------------------------- Browser synchronization is a handy feature but it comes with a few risks. Heres what you should be asking yourself before you switch it on. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/02/browser-sync-what-are-the-r… ∗∗∗ This old form of ransomware has returned with new tricks and new targets ∗∗∗ --------------------------------------------- Cerber was once the most common form of ransomware - and now its back, years after its heyday. --------------------------------------------- https://www.zdnet.com/article/this-old-form-of-ransomware-has-returned-with… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB21-09) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB21-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for the week of February 09, 2021. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1967 ∗∗∗ Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices ∗∗∗ --------------------------------------------- Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a devices wireless communications. --------------------------------------------- https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.ht… ∗∗∗ Jetzt patchen! Sicherheitsupdate für SonicWall SMA 100 ist da ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf das Fernzugriffsystem SMA 100 von SonicWall abgesehen. Nun gibt es Patches. --------------------------------------------- https://heise.de/-5045657 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3). --------------------------------------------- https://lwn.net/Articles/845088/ ∗∗∗ Panasonic Video Insight VMS vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42252698/ ∗∗∗ ZDI-21-151: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-151/ ∗∗∗ ZDI-21-150: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-150/ ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2020-14781 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM SDK Java Quarterly CPU Jul 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-quarterly-cp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ wpa_supplicant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0129 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX291439 ∗∗∗ Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-02 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2021
by Daily end-of-shift report 03 Feb '21

03 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-02-2021 18:00 − Mittwoch 03-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Excel spreadsheets push SystemBC malware, (Wed, Feb 3rd) ∗∗∗ --------------------------------------------- This Excel spreadsheet pushed what might be SystemBC malware when I tested it in my lab environment on Monday 2021-02-01. --------------------------------------------- https://isc.sans.edu/diary/rss/27060 ∗∗∗ Interview with a LockBit ransomware operator ∗∗∗ --------------------------------------------- In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews. --------------------------------------------- https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomwar… ∗∗∗ Hildegard: New TeamTNT Malware Targeting Kubernetes ∗∗∗ --------------------------------------------- Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations. --------------------------------------------- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ∗∗∗ Gefälschte Rechnung für Desinfektionsmittel im Umlauf! ∗∗∗ --------------------------------------------- Viele Unternehmen müssen aufgrund der Coronakrise stärkere Hygienemaßnahmen umsetzen. Dazu zählt auch die Bereitstellung von Desinfektionsmittel. Für viele ist es daher wohl wenig überraschend, wenn sich im E-Mail-Posteingang eine Rechnung für bestellte Desinfektionsmittel findet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-rechnung-fuer-desinfekti… ===================== = Vulnerabilities = ===================== ∗∗∗ Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities ∗∗∗ --------------------------------------------- In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates). --------------------------------------------- https://lwn.net/Articles/844948/ ∗∗∗ Recent root-giving Sudo bug also impacts macOS ∗∗∗ --------------------------------------------- A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account. --------------------------------------------- https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-maco… ∗∗∗ Cisco Security Advisories 2021-02-03 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security Advisory - Improper Resource Management Vulnerability in eUDC660 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Information Processing Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Huawei ManageOne Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210202-… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a remote code execution vulnerability (CVE-2020-4682) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 affected by Apache Cassandra vulnerability (CVE-2020-13946) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind vulnerability CVE-2021-20190 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-vulnerab… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Cloud Pak For Security vulnerable to potential information disclosure through HTTP headers (CVE-2020-4967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into command log files (CVE-2020-4889) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF) (CVE-2020-4787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability (CVE-2020-4165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection Vulnerability (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Bouncy Castle Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bouncy-castle-vulnerabili… ∗∗∗ February 2, 2021 TNS-2021-01 [R1] Nessus AMI 8.13.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-01 ∗∗∗ Linux kernel vulnerability CVE-2020-14385 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84900646 ∗∗∗ D-LINK Router DNS-320: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0122 ∗∗∗ Rockwell Automation MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-01 ∗∗∗ Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 ∗∗∗ 2019-08Hirschmann RSP, RSPE, and OS2 series HSR denial of service vulnerability ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12276-sour… ∗∗∗ 2021-02ICX35 Local Web Based Configuration Interface Password Set ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12277-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily