===================== = End-of-Day report = =====================
Timeframe: Freitag 10-09-2021 18:00 − Montag 13-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner
===================== = News = =====================
∗∗∗ Warten auf Windows-Patches: Selbstbau-Anleitung für MSHTML-Exploit in Umlauf ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen, wie Angreifer Microsofts Schutzmaßnahmen vor Windows-Attacken umgehen könnten. Außerdem ist ein Exploit-Baukasten verfügbar. --------------------------------------------- https://heise.de/-6190319
∗∗∗ SOVA, Worryingly Sophisticated Android Trojan, Takes Flight ∗∗∗ --------------------------------------------- The malware appeared in August with an ambitious roadmap (think ransomware, DDoS) that could make it the most feature-rich Android malware on the market. --------------------------------------------- https://threatpost.com/sova-sophisticated-android-trojan/169366/
∗∗∗ Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th) ∗∗∗ --------------------------------------------- This parser takes the logs from a Windows 2012R2 and/or 2019 server (C:\DNSLogs\windns.log) and parses them into usable metatada which can be monitored and queried via an ELK dashboard. The logs have been mapped using DNS ECS field meta here [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/27828
∗∗∗ New SpookJS Attack Bypasses Google Chrome’s Site Isolation Protection ∗∗∗ --------------------------------------------- A newly discovered side-channel attack demonstrated on modern processors can be weaponized to successfully overcome Site Isolation protections weaved into Google Chrome and Chromium browsers and leak sensitive data in a Spectre-style speculative execution attack. Dubbed "Spook.js" by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv [...] --------------------------------------------- https://thehackernews.com/2021/09/new-spookjs-attack-bypasses-google.html
∗∗∗ REvil: Ransomware-Gang in neuer Aufstellung wieder aktiv ∗∗∗ --------------------------------------------- Neue Forenbeiträge und "Happy Blog"-Inhalte belegen, dass die Erpresserbande um REvil zurück ist - und dass ihre Auszeit wohl nicht freiwillig war. --------------------------------------------- https://heise.de/-6190537
∗∗∗ BazarLoader to Conti Ransomware in 32 Hours ∗∗∗ --------------------------------------------- Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown [...] --------------------------------------------- https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-h...
∗∗∗ Incident response analyst report 2020 ∗∗∗ --------------------------------------------- We deliver a range of services: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams. --------------------------------------------- https://securelist.com/incident-response-analyst-report-2020/104080/
===================== = Vulnerabilities = =====================
∗∗∗ Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. --------------------------------------------- https://blog.talosintelligence.com/2021/09/nitro-pro-code-execution.html
∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu and thunderbird), Fedora (chromium, firefox, and mosquitto), openSUSE (apache2-mod_auth_openidc, gifsicle, openssl-1_1, php7-pear, and wireshark), Oracle (oswatcher), Red Hat (cyrus-imapd, firefox, and thunderbird), SUSE (apache2-mod_auth_openidc, compat-openssl098, php7-pear, and wireshark), and Ubuntu (git and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/869103/
∗∗∗ Update - Kritische Sicherheitslücke in der Microsoft MSHTML Komponente - Workarounds verfügbar, Exploits veröffentlicht ∗∗∗ --------------------------------------------- Update: 13. September 2021 / Beschreibung Microsoft hat außerhalb des üblichen Patch-Zyklus eine Warnung über eine Sicherheitslücke in der MSHTML Komponente veröffentlicht. Diese kann von Angreifer:innen durch entsprechend präparierte Microsoft Office-Dokumente ausgenutzt werden - laut Microsoft sind solche Dokumente bereits im Umlauf. --------------------------------------------- https://cert.at/de/warnungen/2021/9/kritische-sicherheitslucke-in-der-micros...
∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-managemen...
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Multiple vulnerabilities in ICU libraries used in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-29727, CVE-2021-29801, CVE-2021-29862) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-aix...
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security SOAR (CVE-2021-2341, CVE-2021-2369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-m...
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-i...
∗∗∗ Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerab...
∗∗∗ Security Bulletin: Input Validation Vulnerability in Apache Commons Codec Affects IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerabi...