[CERT-daily] Tageszusammenfassung - 19.01.2021

Tue Jan 19 18:14:25 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 18-01-2021 18:00 − Dienstag 19-01-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Linux Devices Under Attack by New FreakOut Malware ∗∗∗
---------------------------------------------
The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks.
---------------------------------------------
https://threatpost.com/linux-attack-freakout-malware/163137/


∗∗∗ Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack ∗∗∗
---------------------------------------------
Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims networks—which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks.
---------------------------------------------
https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html


∗∗∗ Jetzt neues Passwort vergeben! OpenWrt-Forum gehackt ∗∗∗
---------------------------------------------
Angreifer konnten auf Nutzerdaten des OpenWrt-Forums zugreifen. Dort tauschen sich Nutzer des alternativen Betriebssystems u.a. für Router aus.
---------------------------------------------
https://heise.de/-5028697


∗∗∗ Three Word Passwords ∗∗∗
---------------------------------------------
The National Cyber Security Centre (NCSC) have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords?
---------------------------------------------
https://www.pentestpartners.com/security-blog/three-word-passwords/


∗∗∗ All That for a Coinminer? ∗∗∗
---------------------------------------------
A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets ...
---------------------------------------------
https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ DNSpooq: Mehrere Sicherheitslücken in Dnsmasq ∗∗∗
---------------------------------------------
Die IT-Sicherheitsfirma JSOF berichtet über mehrere Sicherheitslücken in der DNS-Serversoftware Dnsmasq, die sie DNSpooq genannt hat. Dabei handelt es sich um zwei zunächst völlig unterschiedliche Klassen von Problemen: Buffer Overflows in der Verarbeitung von DNSSEC-Records und einen unzureichenden Schutz vor DNS-Spoofing-Angriffen. ... Dnsmasq hat die entsprechenden Lücken in Version 2.83 geschlossen. Doch in vielen Fällen dürfte es schwer sein, Updates zu installieren. Dnsmasq wird sehr häufig in Embedded-Geräten und auch auf Android-Telefonen eingesetzt - also auf den Geräten, für die es häufig keine regelmäßigen Sicherheitsupdates gibt. Die Webseite von DNSpooq listet eine ganze Reihe von betroffenen Herstellern sowie deren Security-Advisories auf, die Liste dürfte aber unvollständig sein.
---------------------------------------------
https://www.golem.de/news/dnspooq-mehrere-sicherheitsluecken-in-dnsmasq-2101-153513-rss.html


∗∗∗ Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities in the Universal Plug and Play (UPnP) service and the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow a remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has not released software updates that address these vulnerabilities. There are no workarounds
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow).
---------------------------------------------
https://lwn.net/Articles/843142/


∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Confluence ausnutzen, um einen Denial of Service Angriff durchzuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0052


∗∗∗ Philips Interventional Workstations ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01


∗∗∗ Reolink P2P Cameras ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-019-02

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily