[CERT-daily] Tageszusammenfassung - 17.08.2021

Daily end-of-shift report team at cert.at
Tue Aug 17 18:16:23 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 16-08-2021 18:00 − Dienstag 17-08-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Malware dev infects own PC and data ends up on intel platform ∗∗∗
---------------------------------------------
A malware developer unleashed their creation on their system to try out new features and the data ended up on a cybercrime intelligence platform, exposing a glimpse of the cybercriminal endeavor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-dev-infects-own-pc-and-data-ends-up-on-intel-platform/


∗∗∗ Copyright scammers turn to phone numbers instead of web links ∗∗∗
---------------------------------------------
Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers.
---------------------------------------------
https://nakedsecurity.sophos.com/2021/08/16/copyright-scammers-turn-to-phone-numbers-instead-of-web-links/


∗∗∗ Laravel (<=v8.4.2) exploit attempts for CVE-2021-3129 (debug mode: Remote code execution), (Tue, Aug 17th) ∗∗∗
---------------------------------------------
The vulnerability and this PoC exploit are well documented as CVE-2021-3129. The vulnerability takes advantage of the Ignition "Solutions." Solutions enable the developer to inject code snippets to aid in debugging. 
---------------------------------------------
https://isc.sans.edu/diary/rss/27758


∗∗∗ Vorsicht vor Fake-Zahlungsbestätigungen von Kriminellen auf bazar.at ∗∗∗
---------------------------------------------
Wer auf bazar.at Waren zum Verkauf anbietet, muss sich momentan vor kriminellen InteressentInnen in Acht nehmen! Diese fragen nach der Verfügbarkeit und behaupten, die Zahlung über bazar.at abzuwickeln. Achtung: bazar.at bietet keine solche Zahlungsart und die Bestätigungsseiten sind gefälscht!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-zahlungsbestaetigungen-von-kriminellen-auf-bazarat/


∗∗∗ Thoughts on Detection ∗∗∗
---------------------------------------------
After helping with many clients with numerous detection rules, I observed one consistent theme that kept popping up, many of the rules were written in a way that seemed to be missing a large portion of the potential detection opportunities.
---------------------------------------------
https://posts.specterops.io/thoughts-on-detection-3c5cab66f511


∗∗∗ 1Password Secret Retrieval — Methodology and Implementation ∗∗∗
---------------------------------------------
1Password is a password manager developed by AgileBits Inc., providing a place for users to store various passwords, software licenses, and other sensitive information in a virtual vaults secured with a PBKDF2 master password.
---------------------------------------------
https://posts.specterops.io/1password-secret-retrieval-methodology-and-implementation-6a9db3f3c709


∗∗∗ Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility ∗∗∗
---------------------------------------------
Personal VPN usage on organizations’ networks can obscure network visibility and open the door to cybercrime such as data exfiltration.
---------------------------------------------
https://unit42.paloaltonetworks.com/person-vpn-network-visibility/


∗∗∗ ProxyShell in Österreich ∗∗∗
---------------------------------------------
In seinem Talk auf der BlackHat US 2021 stellte Sicherheitsforscher Orange Tsai eine weitere Kombination von Lücken vor, die es AngreiferInnen ermöglicht, beliebige Befehle als NT Authority\System über das Netzwerk auszuführen, ohne sich authentifizieren zu müssen.
---------------------------------------------
https://cert.at/de/aktuelles/2021/8/proxyshell-in-osterreich


∗∗∗ New HolesWarm botnet targets Windows and Linux servers ∗∗∗
---------------------------------------------
A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware.
---------------------------------------------
https://therecord.media/new-holeswarm-botnet-targets-windows-and-linux-servers/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Fortinet patches bug letting attackers takeover servers remotely ∗∗∗
---------------------------------------------
Fortinet has released security updates to address a command injection vulnerability that can let attackers take complete control of servers running vulnerable FortiWeb web application firewall (WAF) installations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fortinet-patches-bug-letting-attackers-takeover-servers-remotely/


∗∗∗ Security: Glibc-Bugfix machte Lücke einfacher ausnutzbar ∗∗∗
---------------------------------------------
Das Beheben von Sicherheitslücken ist nicht immer so einfach, wie es anfangs scheint, was nun auch das Team der Glibc erfahren musste.
---------------------------------------------
https://www.golem.de/news/security-glibc-bugfix-machte-luecke-einfacher-ausnutzbar-2108-158942-rss.html


∗∗∗ ZDI-21-971: (Pwn2Own) Zoom Heap based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zoom Clients. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-971/


∗∗∗ Sicherheitsupdate für Google Chrome beseitigt Angriffsmöglichkeiten ∗∗∗
---------------------------------------------
Für die Desktop-Fassungen des Chrome-Browsers (Win, macOS & Linux) ist eine Aktualisierung verfügbar, die mehrere Schwachstellen beseitigt.
---------------------------------------------
https://heise.de/-6167542


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (firefox), openSUSE (cpio and rpm), Oracle (compat-exiv2-026, exiv2, firefox, kernel, kernel-container, qemu, sssd, and thunderbird), Red Hat (cloud-init, edk2, kernel, kpatch-patch, microcode_ctl, and sssd), and SUSE (cpio, firefox, and libcares2).
---------------------------------------------
https://lwn.net/Articles/866567/


∗∗∗ Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability ∗∗∗
---------------------------------------------
Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.
---------------------------------------------
https://www.securityweek.com/millions-iot-devices-exposed-attacks-due-cloud-platform-vulnerability


∗∗∗ iCloud for Windows 12.5 ∗∗∗
---------------------------------------------
https://support.apple.com/kb/HT212607


∗∗∗ Security Bulletin: Vulnerabilities in Node.js in IBM DataPower Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-in-ibm-datapower-gateway/


∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities (CVE-2020-1971, CVE-2020-15999, CVE-2017-12652) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-security-vulnerabilities-cve-2020-1971-cve-2020-15999-cve-2017-12652/


∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to CSRF attack ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-potentially-vulnerable-to-csrf-attack/


∗∗∗ Security Bulletin: IBM API Connect on cloud is impacted by HTTP header injection vulnerability (CVE-2020-4706) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-on-cloud-is-impacted-by-http-header-injection-vulnerability-cve-2020-4706/


∗∗∗ Security Bulletin: Prototype pollution flaw in y18n in IBM DataPower Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-flaw-in-y18n-in-ibm-datapower-gateway/


∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-27919) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-a-vulnerability-in-golang-cve-2021-27919/


∗∗∗ Security Bulletin: Multiple vulnerabilities in AngularJS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-angularjs/


∗∗∗ Security Bulletin: Potential DoS in IBM DataPower Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-potential-dos-in-ibm-datapower-gateway/


∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vulnerable-to-a-dos/


∗∗∗ Synology-SA-21:22 DSM ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_22


∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0878


∗∗∗ Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082) ∗∗∗
---------------------------------------------
https://medium.com/tenable-techblog/integer-overflow-to-rce-manageengine-asset-explorer-agent-cve-2021-20082-7e54cb2caad5


∗∗∗ Stored XSS to RCE Chain as SYSTEM in ManageEngine ServiceDesk Plus ∗∗∗
---------------------------------------------
https://medium.com/tenable-techblog/stored-xss-to-rce-chain-as-system-in-manageengine-servicedesk-plus-493c10f3e444

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list