[CERT-daily] Tageszusammenfassung - 29.04.2021
Daily end-of-shift report
team at cert.at
Thu Apr 29 18:12:23 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 28-04-2021 18:00 − Donnerstag 29-04-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Google: Androids Corona-Kontaktverfolgung leakt Daten ∗∗∗
---------------------------------------------
Eigentlich sollte nur das Exposure Notification Framework auf die gesammelten Kontakte zugreifen können, doch Android schreibt sie in ein Log.
---------------------------------------------
https://www.golem.de/news/corona-warn-app-androids-corona-kontaktverfolgung-leakt-daten-2104-156136-rss.html
∗∗∗ Threat Alert: New update from Sysrv-hello, now infecting victims‘ webpages to push malicious exe to end users ∗∗∗
---------------------------------------------
>From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has recently reported about the [rinfo][z0miner]. And the latest case comes from Sysrv-hello [...]
---------------------------------------------
https://blog.netlab.360.com/threat-alert-new-update-from-sysrv-hello-now-infecting-victims-webpages-to-push-malicious-exe-to-end-users/
∗∗∗ Announcing the New Report Delta Mode Option ∗∗∗
---------------------------------------------
A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the [...]
---------------------------------------------
https://www.shadowserver.org/news/announcing-the-new-report-delta-mode-option/
∗∗∗ Digital Ocean springs a leak: Miscreant exploits hole to peep on unlucky customers billing details for two weeks ∗∗∗
---------------------------------------------
First that IPO and now this Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers billing information via a now-patched vulnerability.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2021/04/29/digital_ocean_data_leak/
∗∗∗ [SANS ISC] From Python to .Net ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the [...]
---------------------------------------------
https://blog.rootshell.be/2021/04/29/sans-isc-from-python-to-net/
∗∗∗ Task Force Seeks to Disrupt Ransomware Payments ∗∗∗
---------------------------------------------
Some of the worlds top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.
---------------------------------------------
https://krebsonsecurity.com/2021/04/task-force-seeks-to-disrupt-ransomware-payments/
∗∗∗ Bitcoin scammers phish for wallet recovery codes on Twitter ∗∗∗
---------------------------------------------
Cryptocurrency scammers are on the prowl for wallet recovery phrases, under the pretence of trying to be helpful.
---------------------------------------------
https://blog.malwarebytes.com/social-engineering/2021/04/bitcoin-scammers-phish-for-wallet-recovery-codes-on-twitter/
∗∗∗ Anatomy of how you get pwned ∗∗∗
---------------------------------------------
Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from? In this blogpost, I follow this rabbit hole on down. It starts with "search engine optimization" links and leads to an entire industry of tricks, scams, exploiting popups, trying to infect your machine with viruses, and stealing emails or credit card numbers.
---------------------------------------------
https://blog.erratasec.com/2021/04/anatomy-of-how-you-get-pwned.html
∗∗∗ Betrügerische Kleinanzeigen auf hyperanzeigen.at ∗∗∗
---------------------------------------------
Immer wieder erreichen die Watchlist Internet Meldungen zu unseriösen Angeboten auf hyperanzeigen.at. Ein genauerer Blick auf die Plattform selbst lässt aber auch Zweifel an deren Seriosität aufkommen. Bei einer Überprüfung von 15 Anzeigen aus unterschiedlichen Kategorien konnten wir keine einzige echte finden. Weiters fehlen Kontaktmöglichkeiten und ein Impressum.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-kleinanzeigen-auf-hyperanzeigenat/
∗∗∗ New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl) ∗∗∗
---------------------------------------------
We analyze commodity malware WeSteal, detail its techniques and examine its customers, as well as sharing details of a newly observed RAT, WeControl.
---------------------------------------------
https://unit42.paloaltonetworks.com/westeal/
=====================
= Vulnerabilities =
=====================
∗∗∗ A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks ∗∗∗
---------------------------------------------
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was [...]
---------------------------------------------
https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High".
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F04%2F28&firstPublishedEndDate=2021%2F04%2F29
∗∗∗ Overview of F5 vulnerabilities (April 2021) ∗∗∗
---------------------------------------------
Overview of F5 vulnerabilities (April 2021) Security Advisory Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as [...]
---------------------------------------------
https://support.f5.com/csp/article/K96639388
∗∗∗ Vulnerability Exposes F5 BIG-IP to Kerberos KDC Hijacking Attacks ∗∗∗
---------------------------------------------
F5 Networks this week released patches to address an authentication bypass vulnerability affecting BIG-IP Access Policy Manager (APM), but fixes are not available for all impacted versions.
---------------------------------------------
https://www.securityweek.com/vulnerability-exposes-f5-big-ip-kerberos-kdc-hijacking-attacks
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (ceph, jetty, kernel, kernel-headers, kernel-tools, openvpn, and shim-unsigned-x64), Mageia (firefox and thunderbird), Oracle (nss and openldap), Red Hat (bind), Slackware (bind), SUSE (firefox, giflib, java-1_7_0-openjdk, libnettle, librsvg, thunderbird, and webkit2gtk3), and Ubuntu (bind9 and gst-plugins-good1.0).
---------------------------------------------
https://lwn.net/Articles/854880/
∗∗∗ ZDI-21-490: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-21-490/
∗∗∗ ZDI-21-489: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-21-489/
∗∗∗ ZDI-21-488: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-21-488/
∗∗∗ ZDI-21-487: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-21-487/
∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-02-dos-en
∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-may-be-vulnerable-to-a-denial-of-service-vulnerability-cve-2020-1971-2/
∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cookie forgery via PHP (CVE-2020-7070) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulnerable-to-cookie-forgery-via-php-cve-2020-7070/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-directory-server-tivoli-rational-directory-administrator-6/
∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0452
∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0451
∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0459
∗∗∗ PHP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0458
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list