[CERT-daily] Tageszusammenfassung - 26.04.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 23-04-2021 18:00 − Montag 26-04-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Qnap: NAS-Ransomware erpresst in wenigen Tagen 230.000 Euro ∗∗∗
---------------------------------------------
Mit einer trivialen Sicherheitslücke konnte die Ransomware Qlocker binnen weniger Tage Tausende Euro von Qnap-NAS-Besitzern erpressen.
---------------------------------------------
https://www.golem.de/news/qnap-nas-ransomware-erpresst-in-wenigen-tagen-230-000-euro-2104-156014-rss.html


∗∗∗ Passwordstate: Passwort-Manager von Click Studios gehackt ∗∗∗
---------------------------------------------
Angreifern ist die Kompromittierung einer Upgrade-Funktion von Click Studios gelungen. Nutzer von Passwordstate sollen ihre Passwörter zurücksetzen.
---------------------------------------------
https://heise.de/-6027188


∗∗∗ "Tschüss Emotet": Malware deinstalliert sich selbst ∗∗∗
---------------------------------------------
Der "König der Schad-Software" machte still und leise einen Abgang.
---------------------------------------------
https://heise.de/-6028392


∗∗∗ Unsecured Kubernetes Instances Could Be Vulnerable to Exploitation ∗∗∗
---------------------------------------------
We discuss how malware and malicious activities can occur in unsecured Kubernetes instances and how better configuration can help.
---------------------------------------------
https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/


∗∗∗ This password-stealing Android malware is spreading quickly: Heres what to watch out for ∗∗∗
---------------------------------------------
FluBot is designed to steal personal information including bank details - and infected users are being exploited to spread the malware to their contacts.
---------------------------------------------
https://www.zdnet.com/article/this-password-stealing-android-malware-is-spreading-quickly-heres-watch-to-watch-out-for/


∗∗∗ Hacking campaign targets FileZen file-sharing network appliances ∗∗∗
---------------------------------------------
Threat actors are using two vulnerabilities in a popular file-sharing server to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Ministers Cabinet Office.
---------------------------------------------
https://therecord.media/hacking-campaign-targets-filezen-file-sharing-network-appliances/


∗∗∗ Fake Microsoft DirectX 12 site pushes crypto-stealing malware ∗∗∗
---------------------------------------------
Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-site-pushes-crypto-stealing-malware/


∗∗∗ Base64 Hashes Used in Web Scanning, (Sat, Apr 24th) ∗∗∗
---------------------------------------------
I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years.
---------------------------------------------
https://isc.sans.edu/diary/rss/27346



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux ∗∗∗
---------------------------------------------
A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a [...]
---------------------------------------------
https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html


∗∗∗ SSD Advisory – Hongdian H8922 Multiple Vulnerabilities ∗∗∗
---------------------------------------------
The H8922 “4G industrial router is based on 3G/4G wireless network and adopts a high-performance 32-bit embedded operating system with full industrial design. It supports wired and wireless network backup, and its high reliability and convenient networking make it suitable for large-scale distributed industrial applications. Such as smart lockers, charging piles, bank ATM machines, tower monitoring, electricity, water conservancy, environmental protection”. Several vulnerabilities in the H8922 device allow remote attackers to cause the device to execute arbitrary commands with root privileges due to the fact that user provided data is not properly filtered as well as a backdoor account allows access via port 5188/tcp.
---------------------------------------------
https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/


∗∗∗ [PDF] Beckhoff Security Advisory 2021-001: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server ∗∗∗
---------------------------------------------
Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs.
---------------------------------------------
https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2021-001.pdf


∗∗∗ Erneut Sicherheitslücke bei Corona-Schnelltests ∗∗∗
---------------------------------------------
Aufgrund einer Sicherheitslücke in einer Schnelltest-Software konnten Unbefugte auf sensible Informationen zugreifen. Die Lücke ist mittlerweile geschlossen.
---------------------------------------------
https://heise.de/-6027394


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (drupal7, gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, jackson-databind, libspring-java, opendmarc, openjdk-11, and pjproject), Fedora (buildah, containers-common, crun, firefox, java-11-openjdk, nextcloud-client, openvpn, podman, python3-docs, python3.9, runc, and xorg-x11-server), Mageia (connman, krb5-appl, and virtualbox), openSUSE (apache-commons-io, ImageMagick, jhead, libdwarf, nim, [...]
---------------------------------------------
https://lwn.net/Articles/854504/


∗∗∗ MB connect line: multiple products partially affected by DNSspooq ∗∗∗
---------------------------------------------
Multiple flaws have been found in dnsmasq before version 2.83 [...]
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2021-012


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0436


∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0438

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily