[CERT-daily] Tageszusammenfassung - 25.08.2021

Daily end-of-shift report team at cert.at
Wed Aug 25 18:35:18 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 24-08-2021 18:00 − Mittwoch 25-08-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Medizin: Sicherheitslücken in Infusionspumpen entdeckt ∗∗∗
---------------------------------------------
Medizinische Infusionspumpen versorgen Patienten mit Medikamenten. Können Angreifer unbemerkt die Dosis manipulieren, kann das schwere Folgen haben.
---------------------------------------------
https://www.golem.de/news/medizin-sicherheitsluecken-in-infusionspumpen-entdeckt-2108-159120-rss.html


∗∗∗ Sicherheitsupdates: Netzwerk-Equipment von F5 für Attacken anfällig ∗∗∗
---------------------------------------------
F5 hat mehrere gefährliche Sicherheitslücken in verschiedenen BIG-IP Appliances geschlossen.
---------------------------------------------
https://heise.de/-6174378


∗∗∗ Gefahr durch alte Schwachstellen ∗∗∗
---------------------------------------------
Trend Micro fordert Unternehmen dazu auf, sich bei ihren Patching-Maßnahmen auf die Schwachstellen zu fokussieren, von denen das größte Risiko für ihr Unternehmen ausgeht - auch wenn diese schon mehrere Jahre alt sind. Rund ein Viertel der im cyberkriminellen Untergrund gehandelten Exploits sind über drei Jahre alt.
---------------------------------------------
https://www.zdnet.de/88396365/gefahr-durch-alte-schwachstellen/


∗∗∗ Vorsicht vor angeblicher Ärztin aus Afghanistan, die Ihre Wohnung kaufen will! ∗∗∗
---------------------------------------------
Haben Sie derzeit eine Immobilie im Internet inseriert? Dann sollten Sie sich einer vermeintlichen Interessentin aus Afghanistan in Acht nehmen. Eine angebliche Ärztin schreibt derzeit willkürlich Menschen an, die eine Wohnung inseriert haben und gibt vor nach Europa ziehen zu wollen. Als Grund gibt sie an, dass sie unter den Taliban nicht als Ärztin arbeiten kann. Achtung Betrug! Hier nutzen Kriminelle die Not der Bevölkerung in Afghanistan aus.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-angeblicher-aerztin-aus-afghanistan-die-ihre-wohnung-kaufen-will/


∗∗∗ Ransomware gangs script shows exactly the files theyre after ∗∗∗
---------------------------------------------
A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/


∗∗∗ FIN8 cybercrime gang backdoors US orgs with new Sardonic malware ∗∗∗
---------------------------------------------
A financially motivated cybercrime gang has breached and backdoored the network of a US financial organization with a new malware known dubbed Sardonic by Bitdefender researchers who first spotted it.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fin8-cybercrime-gang-backdoors-us-orgs-with-new-sardonic-malware/


∗∗∗ There may be (many) more SPF records than we might expect, (Wed, Aug 25th) ∗∗∗
---------------------------------------------
The Sender Policy Framework (SPF[1]) is a simple but fairly powerful mechanism that may be used (ideally in connection with DKIM[2] and DMARC[3]) to combat phishing to some degree. Basically, it allows a domain name owner to publish a special DNS TXT record containing a list of servers that are authorized to send e-mails for that domain.
---------------------------------------------
https://isc.sans.edu/diary/rss/27786


∗∗∗ 7 Ways to Secure Magento 1 ∗∗∗
---------------------------------------------
While unpatched installations of Magento 2 contain many vulnerabilities, I’m going to focus my attention on Magento 1 for this article. This is because Magento 2 provides regularly updated patches for many of the most common vulnerabilities targeting the platform. While Magento 1 also contains patches for many known vulnerabilities, those patches are not currently maintained. Magento 1 reached its end-of-support on June 30, 2020.
---------------------------------------------
https://blog.sucuri.net/2021/08/securing-magento-1.html


∗∗∗ RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate ∗∗∗
---------------------------------------------
As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.
---------------------------------------------
https://www.riskiq.com/blog/external-threat-management/eitest-gootloader/


∗∗∗ The SideWalk may be as dangerous as the CROSSWALK ∗∗∗
---------------------------------------------
Meet SparklingGoblin, a member of the Winnti family
---------------------------------------------
https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/


∗∗∗ CISA Releases Five Pulse Secure-Related MARs ∗∗∗
---------------------------------------------
As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/08/24/cisa-releases-five-pulse-secure-related-mars


∗∗∗ North Korean BLUELIGHT Special: InkySquid Deploys RokRAT ∗∗∗
---------------------------------------------
In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom malware family known as BLUELIGHT. This follow-up post describes findings from a recent investigation undertaken by Volexity in which the BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka DOGCALL).
---------------------------------------------
https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021 ∗∗∗
---------------------------------------------
On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases: 
- QNX Software Development Platform (SDP) - 6.5.0SP1 and earlier 
- QNX OS for Medical - 1.1 and earlier 
- QNX OS for Safety - 1.0.1 and earlier 
A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS).
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL


∗∗∗ Cisco NX-OS Software Python Parser Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
Update from August 25, 2021: Cisco found that this vulnerability was present in additional releases of Cisco NX-OS Software with the introduction of Python 3 support. For more information, see the Fixed Software section of this advisory.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-pyth-escal


∗∗∗ VMSA-2021-0018 ∗∗∗
---------------------------------------------
VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0018.html


∗∗∗ Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce ∗∗∗
---------------------------------------------
On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/


∗∗∗ Nested Pages Patches Post Deletion Vulnerability ∗∗∗
---------------------------------------------
On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openssl), openSUSE (libspf2, openssl-1_0_0, and openssl-1_1), Oracle (libsndfile), SUSE (nodejs10, nodejs12, openssl, openssl-1_0_0, openssl-1_1, and openssl1), and Ubuntu (openssl).
---------------------------------------------
https://lwn.net/Articles/867354/


∗∗∗ Hitachi ABB Power Grids TropOS ∗∗∗
---------------------------------------------
This advisory contains mitigations for Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, and Improper Input Validation vulnerabilities in Hitachi ABB Power Grids TropOS firmware.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-236-01


∗∗∗ Hitachi ABB Power Grids Utility Retail Operations and CSB Products ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Retail Operations and Counterparty Settlement Billing (CSB) utility usage and billing software products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-236-02


∗∗∗ Delta Electronics TPEditor ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in Delta Electronics TPEditor programming software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-236-03


∗∗∗ Vembu BDR Full Disclosure ∗∗∗
---------------------------------------------
On 15 May 2021 we published case DIVD-2020-00011, which dealt with four vulnerabilities in Vembu BDR and related products. These four vulnerabilities here confidentially reported to Vembu in November 2020 and again in Februari 2021. Current status: From recent scan data we know that the three most damaging vulnerabilities have practically seized to be present on the internet, therefore we have decided to release the full technical details on these vulnerabilities.
---------------------------------------------
https://csirt.divd.nl/2021/08/25/Vembu-BDR-Full-Disclosure/


∗∗∗ Xen Security Advisory CVE-2021-28700 / XSA-383 ∗∗∗
---------------------------------------------
xen/arm: No memory limit for dom0less domUs
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-383.html


∗∗∗ Xen Security Advisory CVE-2021-28699 / XSA-382 ∗∗∗
---------------------------------------------
inadequate grant-v2 status frames array bounds check
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-382.html


∗∗∗ Xen Security Advisory CVE-2021-28698 / XSA-380 ∗∗∗
---------------------------------------------
long running loops in grant table handling
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-380.html


∗∗∗ Xen Security Advisory CVE-2021-28697 / XSA-379 ∗∗∗
---------------------------------------------
grant table v2 status pages may remain accessible after de-allocation
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-379.html


∗∗∗ Xen Security Advisory CVE-2021-28694,CVE-2021-28695,CVE-2021-28696 / XSA-378 ∗∗∗
---------------------------------------------
IOMMU page mapping issues on x86
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-378.html


∗∗∗ The installers of multiple Sony products may insecurely load Dynamic Link Libraries ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN80288258/


∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0908

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list