[CERT-daily] Tageszusammenfassung - 28.04.2021
Daily end-of-shift report
team at cert.at
Wed Apr 28 18:14:40 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 27-04-2021 18:00 − Mittwoch 28-04-2021 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Security: Juristische Konsequenzen durch den Cellebrite-Hack ∗∗∗
---------------------------------------------
Urteile, in denen die Forensiksoftware zur Beweissicherung verwendet wurde, werden nach Aufdeckung der schweren Sicherheitslücken in Frage gestellt.
---------------------------------------------
https://www.golem.de/news/security-juristische-konsequenzen-durch-den-cellebrite-hack-2104-156087-rss.html
∗∗∗ RotaJakiro: A long live secret backdoor with 0 VT detection ∗∗∗
---------------------------------------------
On March 25, 2021, 360 NETLABs BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL.
---------------------------------------------
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
∗∗∗ Abusing Replication: Stealing AD FS Secrets Over the Network ∗∗∗
---------------------------------------------
Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html
∗∗∗ Emotet: Gut 4 Millionen kopierter Mail-Adressen bei Prüfdienst Have I Been Pwned ∗∗∗
---------------------------------------------
Um Betroffene besser informieren zu können, hat das FBI über vier Mio. E-Mail-Adressen, die der Ex-"König der Schadsoftware" Emotet abgriff, mit HIBP geteilt.
---------------------------------------------
https://heise.de/-6030480
∗∗∗ User Empowerment: Password Security ∗∗∗
---------------------------------------------
World Password Day (who knew that was a thing?) is upon us.
---------------------------------------------
https://malicious.link/post/2021/user-empowerment-password-security/
∗∗∗ Österreichische Gesundheitskasse warnt vor betrügerischen Anrufen ∗∗∗
---------------------------------------------
Versicherte der Österreichischen Gesundheitskasse (ÖGK) werden derzeit von BetrügerInnen angerufen. Die BetrügerInnen geben sich als MitarbeiterInnen der ÖGK aus und rufen von einer vermeintlich österreichischen Nummer an.
---------------------------------------------
https://www.watchlist-internet.at/news/oesterreichische-gesundheitskasse-warnt-vor-betruegerischen-anrufen/
∗∗∗ Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle ∗∗∗
---------------------------------------------
It has been suspected that exploit code used in the wave of attacks may have been sourced from the program.
---------------------------------------------
https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing-scheme-following-exchange-server-debacle/
∗∗∗ Two million database servers are currently exposed across cloud providers ∗∗∗
---------------------------------------------
Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs.
---------------------------------------------
https://therecord.media/two-million-database-servers-are-currently-exposed-across-cloud-providers/
∗∗∗ Ransomware gang targets Microsoft SharePoint servers ∗∗∗
---------------------------------------------
Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.
---------------------------------------------
https://therecord.media/ransomware-gang-targets-microsoft-sharepoint-servers/
=====================
= Vulnerabilities =
=====================
∗∗∗ Schadcode-Lücke in IBM Spectrum Protect gefährdet Server ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für IBMs Datenschutzlösung Spectrum Protect und Spectrum Protect Plus.
---------------------------------------------
https://heise.de/-6030379
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and shibboleth-sp), Fedora (ceph and salt), Oracle (thunderbird), Red Hat (etcd), Scientific Linux (nss and openldap), SUSE (curl, gdm, and libnettle), and Ubuntu (openjdk-8, openjdk-lts and underscore).
---------------------------------------------
https://lwn.net/Articles/854756/
∗∗∗ Synology-SA-21:15 Antivirus Essential ∗∗∗
---------------------------------------------
A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_15
∗∗∗ WordPress plugin "WP Fastest Cache" vulnerable to directory traversal ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN35240327/
∗∗∗ ZDI-21-485: (0Day) Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-485/
∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-01-dos-en
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-16044) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2020-16044-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-affects-content-collector-for-email/
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23954-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a directory traversal vulnerability affects Content Collector for Email ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-affects-content-collector-for-email/
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23987-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-26974) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2020-26974-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-installed-websphere-application-server/
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23978) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23978-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
∗∗∗ Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K04234247
∗∗∗ TMM vulnerability CVE-2021-23011 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K10751325
∗∗∗ BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K91414704
∗∗∗ Running a CTU Diagnostics Report may leave elevated command prompt after report generation ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K03544414
∗∗∗ TMM with HTTP/2 vulnerability (CVE-2021-23009) ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K90603426
∗∗∗ BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K18570111
∗∗∗ BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K23203045
∗∗∗ BIG-IP APM AD authentication vulnerability CVE-2021-23008 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K51213246
∗∗∗ Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K74151369
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list