[CERT-daily] Tageszusammenfassung - 13.08.2021
Daily end-of-shift report
team at cert.at
Fri Aug 13 18:20:02 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-08-2021 18:00 − Freitag 13-08-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Angreifer kombinieren ProxyShell-Lücken und attackieren Microsoft Exchange ∗∗∗
---------------------------------------------
Nach gezielten Scans gibt es nun erste Attacken auf Exchange Server. In Deutschland gibt es tausende verwundbare Systeme. Patches sind verfügbar.
---------------------------------------------
https://heise.de/-6164957
∗∗∗ Unseriöse Shops kopieren Webseiten von beliebten Schuhmarken! ∗∗∗
---------------------------------------------
Wer Dr. Marten- oder Skecher-Schuhe in einem Online-Shop kaufen will, sollte sich vorher vergewissern, ob der Shop auch seriös ist. Denn derzeit werden der Watchlist Internet vermehrt Markenfälscher-Shops gemeldet, die unglaublich günstige Markenschuhe anbieten. Wenn das Impressum fehlt und die Schuhe zu unglaublichen Preisen angeboten werden, sollten Sie lieber Abstand von einem Einkauf nehmen.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-shops-kopieren-webseiten-von-beliebten-schuhmarken/
∗∗∗ SynAck ransomware releases decryption keys after El_Cometa rebrand ∗∗∗
---------------------------------------------
The SynAck ransomware gang released the master decryption keys for their operation after rebranding as the new El_Cometa group.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/synack-ransomware-releases-decryption-keys-after-el-cometa-rebrand/
∗∗∗ WordPress Sites Abused in Aggah Spear-Phishing Campaign ∗∗∗
---------------------------------------------
The Pakistan-linked threat groups campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea.
---------------------------------------------
https://threatpost.com/aggah-wordpress-spearphishing/168657/
∗∗∗ Example of Danabot distributed through malspam, (Fri, Aug 13th) ∗∗∗
---------------------------------------------
Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020. We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12. Today's diary reviews this Danabot infection.
---------------------------------------------
https://isc.sans.edu/diary/rss/27744
∗∗∗ Using AI to Scale Spear Phishing ∗∗∗
---------------------------------------------
The problem with spear phishing it that it takes time and creativity to create individualized enticing phishing emails. Researchers are using GPT-3 to attempt to solve that problem: The researchers used OpenAI's GPT-3 platform in conjunction with other AI-as-a-service products focused on personality analysis to generate phishing emails tailored to their colleagues' backgrounds and traits.
---------------------------------------------
https://www.schneier.com/blog/archives/2021/08/using-ai-to-scale-spear-phishing.html
∗∗∗ Phishing campaign goes old school, dusts off Morse code ∗∗∗
---------------------------------------------
Sometimes new technology just doesnt get the job done.
---------------------------------------------
https://blog.malwarebytes.com/reports/2021/08/phishing-campaign-goes-old-school-dusts-off-morse-code/
∗∗∗ Examining threats to device security in the hybrid workplace ∗∗∗
---------------------------------------------
As employees split their time between office and off-site work, there's a greater potential for company devices and data to fall into the wrong hands
---------------------------------------------
https://www.welivesecurity.com/2021/08/12/examining-threats-device-security-hybrid-workplace/
∗∗∗ Hackers tried to exploit two zero-days in Trend Micro's Apex One EDR platform ∗∗∗
---------------------------------------------
Cyber-security firm Trend Micro said hackers tried to exploit two zero-day vulnerabilities in its Apex One EDR platform in an attempt to go after its customers in attacks that took place earlier this year.
---------------------------------------------
https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform/
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005 ∗∗∗
---------------------------------------------
The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing.
---------------------------------------------
https://www.drupal.org/sa-core-2021-005
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13).
---------------------------------------------
https://lwn.net/Articles/866185/
∗∗∗ Cognex In-Sight OPC Server ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in Cognex In-Sight OPC Server industrial software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-224-01
∗∗∗ Horner Automation Cscape ∗∗∗
---------------------------------------------
This advisory contains mitigations for Out-of-bounds Write, Access of Uninitialized Pointer, and Out-of-bounds Read vulnerabilities in Horner Automation Cscape control system application programming software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-224-02
∗∗∗ Sensormatic Electronics C-CURE 9000 (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-21-182-02 Sensormatic Electronics C-CURE 9000 that was published July 1, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02
∗∗∗ Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerability-affects-ibm-partner-engagement-manager-cve-2021-29781-2/
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to possible information disclosure in a multi-domain deployment. (CVE-2021-29880) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-possible-information-disclosure-in-a-multi-domain-deployment-cve-2021-29880/
∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-service-console-affects-ibm-cloud-pak-system-cve-2021-20478-3/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list