[CERT-daily] Tageszusammenfassung - 23.02.2021

Tue Feb 23 18:37:16 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 22-02-2021 18:00 − Dienstag 23-02-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Achtung: Gefälschtes E-Mail von A1 über eine Belohnung für Mobilpoints führt in Abo-Falle ∗∗∗
---------------------------------------------
„Seit Sie unsere Dienste nutzen, haben Sie 29.039 Mobilpoints gesammelt. Dank dieser erhalten Sie als Belohnung ein Smartphone.“ Dieses Angebot wird angeblich von A1 per E-Mail unterbreitet. Doch Vorsicht: Dieses E-Mail stammt von Kriminellen. Wer diesem vermeintlichen Angebot Glauben schenkt und die Liefergebühren bezahlt, tappt in eine teure Abo-Falle!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-gefaelschtes-e-mail-von-a1-ueber-eine-belohnung-fuer-mobilpoints-fuehrt-in-abo-falle/

∗∗∗ Lessons Learned from SUNBURST for Threat Hunters ∗∗∗
---------------------------------------------
Practical advice from the DomainTools research team on how to approach adversary-based threat hunting, asset management, and incident response in the wake of the SUNBURST campaign.
---------------------------------------------
https://www.domaintools.com/resources/blog/lessons-learned-from-sunburst-for-threat-hunters

∗∗∗ Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd) ∗∗∗
---------------------------------------------
I wanted to take a look at Brad's malicious spreadsheet, using Excel inside a VM.
---------------------------------------------
https://isc.sans.edu/diary/rss/27126

∗∗∗ Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd) ∗∗∗
---------------------------------------------
Given its history, the Full Disclosure mailing list[1] is probably one of the best-known places on the internet where information about newly discovered vulnerabilities is may be published in a completely open way. If one wishes to inform the wider security community about a vulnerability one found in any piece of software, one only has to submit a post and after it is evaluated by the moderators, the information will be published to the list.
---------------------------------------------
https://isc.sans.edu/diary/rss/27130

∗∗∗ Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs ∗∗∗
---------------------------------------------
Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents. Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain [...]
---------------------------------------------
https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html

∗∗∗ New article: Decompiling Excel Formula (XF) 4.0 malware ∗∗∗
---------------------------------------------
In a new article, researcher Kurt Natvig takes a close look at XF 4.0 malware.
---------------------------------------------
https://www.virusbulletin.com/blog/2021/02/new-article-decompiling-excel-formula-xf-40-malware/

∗∗∗ Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion ∗∗∗
---------------------------------------------
Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the [...]
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html

∗∗∗ Checkout Skimmers Powered by Chip Cards ∗∗∗
---------------------------------------------
Easily the most sophisticated skimming devices made for hacking terminals at retail self-checkout lanes are a new breed of PIN pad overlay combined with a flexible, paper-thin device that fits inside the terminals chip reader slot. What enables these skimmers to be so slim? They draw their power from the low-voltage current that gets triggered when a chip-based card is inserted. As a result, they do not require external batteries, and can remain in operation indefinitely.
---------------------------------------------
https://krebsonsecurity.com/2021/02/checkout-skimmers-powered-by-chip-cards/

∗∗∗ Clop targets execs, ransomware tactics get another new twist ∗∗∗
---------------------------------------------
Clops targeting of executives workstations is the latest in a string of recent innovations in ransomware.
---------------------------------------------
https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/

∗∗∗ UK Banks 2FA Being Bypassed ∗∗∗
---------------------------------------------
Akamai and Cyjax have published reports on a campaign that is bypassing 2FA in order to employ a multi-part phishing kit. Functionality of this kit does not behave as typically expected. This particular phishing kit uses a centralized control panel, a departure from typical phishing operations.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/75c736c5e365bdd5636268f9815039da

=====================
=  Vulnerabilities  =
=====================

∗∗∗ Browser-Updates: Firefox 86 und 78.8 ESR umfassen wichtige Sicherheitsupdates ∗∗∗
---------------------------------------------
Mozillas frisch erschienene Browser-Versionen bergen neben neuen Funktionen auch Schwachstellen-Fixes. Von mehreren geht ein hohes Sicherheitsrisiko aus.
---------------------------------------------
https://heise.de/-5063402

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (connman, firejail, kernel, python-django, roundcubemail, and wpa_supplicant), Fedora (gdk-pixbuf2 and gdk-pixbuf2-xlib), openSUSE (python3 and tomcat), Scientific Linux (xterm), SUSE (postgresql12 and postgresql13), and Ubuntu (gdk-pixbuf, openldap, python-django, and qemu).
---------------------------------------------
https://lwn.net/Articles/847150/

*** Synology Security Advisories ***
---------------------------------------------
Synology-SA-21:09 WebDAV Server
A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of WebDAV Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_09

Synology-SA-21:08 Docker
A vulnerability allows local users to read or write arbitrary files via a susceptible version of Docker.
https://www.synology.com/en-global/support/security/Synology_SA_21_08

Synology-SA-21:07 Synology Directory Server
A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Directory Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_07

Synology-SA-21:06 CardDAV Server
A vulnerability allows remote authenticated users to execute arbitrary SQL commands via a susceptible version of CardDAV Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_06

Synology-SA-21:05 Audio Station
A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Audio Station.
https://www.synology.com/en-global/support/security/Synology_SA_21_05

Synology-SA-21:04 Video Station
A vulnerability allows remote authenticated users to access intranet resources via a susceptible version of Video Station.
https://www.synology.com/en-global/support/security/Synology_SA_21_04

Synology-SA-21:03 DSM
Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).
https://www.synology.com/en-global/support/security/Synology_SA_21_03
---------------------------------------------
https://www.synology.com/en-global/security/advisory

∗∗∗ Security Vulnerabilities fixed in Thunderbird 78.8 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/

∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu/

∗∗∗ Security Bulletin: Multiple CVEs – Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-designer-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-2/

∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities-6/

∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily