[CERT-daily] Tageszusammenfassung - 19.04.2021
Daily end-of-shift report
team at cert.at
Mon Apr 19 18:41:52 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-04-2021 18:00 − Montag 19-04-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht ∗∗∗
---------------------------------------------
Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen.
---------------------------------------------
https://heise.de/-6019302
∗∗∗ Ryuk ransomware operation updates hacking techniques ∗∗∗
---------------------------------------------
Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-updates-hacking-techniques/
∗∗∗ NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator ∗∗∗
---------------------------------------------
BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files.
---------------------------------------------
https://heimdalsecurity.com/blog/nitroransomware-distributed-as-a-fake-free-nitro-gift-code-generator/
∗∗∗ BazarLoader Malware Abuses Slack, BaseCamp Clouds ∗∗∗
---------------------------------------------
Two cyberattack campaigns are making the rounds using unique social-engineering techniques.
---------------------------------------------
https://threatpost.com/bazarloader-malware-slack-basecamp/165455/
∗∗∗ Serious Security: Rowhammer is back, but now it’s called SMASH ∗∗∗
---------------------------------------------
Simply put: reading from RAM in your program could write to RAM in someone elses
---------------------------------------------
https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-back-but-now-its-called-smash/
∗∗∗ Querying Spamhaus for IP reputation, (Fri, Apr 16th) ∗∗∗
---------------------------------------------
Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script.
---------------------------------------------
https://isc.sans.edu/diary/rss/27320
∗∗∗ Decoding Cobalt Strike Traffic, (Sun, Apr 18th) ∗∗∗
---------------------------------------------
In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.
---------------------------------------------
https://isc.sans.edu/diary/rss/27322
∗∗∗ Hunting phishing websites with favicon hashes, (Mon, Apr 19th) ∗∗∗
---------------------------------------------
HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.
---------------------------------------------
https://isc.sans.edu/diary/rss/27326
∗∗∗ Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs ∗∗∗
---------------------------------------------
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload.
---------------------------------------------
https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html
∗∗∗ Malvertisers hacked 120 ad servers to load malicious ads ∗∗∗
---------------------------------------------
A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware.
---------------------------------------------
https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-malicious-ads/
∗∗∗ Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack ∗∗∗
---------------------------------------------
The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack.
---------------------------------------------
https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen ∗∗∗
---------------------------------------------
Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-6019234
∗∗∗ VMSA-2021-0006 ∗∗∗
---------------------------------------------
A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0006.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...]
---------------------------------------------
https://lwn.net/Articles/853420/
∗∗∗ iApps vulnerability CVE-2020-17507 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K11542555
∗∗∗ libcroco vulnerability CVE-2020-12825 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K01074825
∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0397
∗∗∗ Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics – Log Analysis Analysis (CVE-2018-8017) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-with-apache-tika-in-apache-solr-affects-ibm-operations-analytics-log-analysis-analysis-cve-2018-8017/
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-tika-affects-apache-solr-shipped-with-ibm-operations-analytics-log-analysis/
∗∗∗ Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-fasterxml-jackson-databind-affect-apache-solr-shipped-with-ibm-operations-analytics-log-analysis/
∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerable-to-a-buffer-overflow-cve-2020-5025-6/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-3/
∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-corporate-payment-services-is-affected-by-a-potential-code-injection-vulnerability-cve-2020-5268/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-11/
∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-cloud-pak-for-data-is-impacted-by-vulnerabilities-in-node-js/
∗∗∗ Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2018-8036) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affects-apache-solr-shipped-with-ibm-operations-analytics-log-analysis-cve-2018-8036/
∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affecting-tivoli-netcool-omnibus-multiple-cves-3/
∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vulnerable-to-command-injection-cve-2021-20527/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list