[CERT-daily] Tageszusammenfassung - 08.07.2021
Daily end-of-shift report
team at cert.at
Thu Jul 8 18:14:26 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 07-07-2021 18:00 − Donnerstag 08-07-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ iCloud-Problem erlaubte Password-Brute-Force – Apple streitet mit Entdecker ∗∗∗
---------------------------------------------
Einem Sicherheitsexperten gelang es, über eine Race Condition und zahlreiche IPs bestimmte Apple-IDs zurückzusetzen. Angeblich waren auch iPhone-PINs bedroht.
---------------------------------------------
https://heise.de/-6120219
∗∗∗ Vorsicht vor betrügerischen und unseriösen Apps! ∗∗∗
---------------------------------------------
Für das Smartphone gibt es zahlreiche Apps, die den Alltag erleichtern. Es gibt aber auch Apps, die das Leben erschweren können: Unseriöse Anwendungen entpuppen sich oftmals als teure Abo-Fallen oder als Datenkraken. Auch Apps, die die Geräte der NutzerInnen mit Schadsoftware infizieren, sind eine beliebte Masche von Cyberkriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen können.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-und-unserioesen-apps/
∗∗∗ Kubernetes gefährdet ∗∗∗
---------------------------------------------
Kubernetes Container und Cluster werden immer beliebter, geraten dadurch aber auch ins Visier von Hackern. Palo Alto Networks und Red Hat erläutern das unterschätzte Sicherheitsrisiko und wie Kubernetes-Instanzen zu Gefahrenherden werden.
---------------------------------------------
https://www.zdnet.de/88395662/kubernetes-gefaehrdet/
∗∗∗ Using Sudo with Python For More Security Controls, (Thu, Jul 8th) ∗∗∗
---------------------------------------------
I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules!
---------------------------------------------
https://isc.sans.edu/diary/rss/27614
∗∗∗ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails ∗∗∗
---------------------------------------------
On, July 2nd, a massive ransomware attack was launched against roughly 50 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
∗∗∗ Magecart Swiper Uses Unorthodox Concatenation ∗∗∗
---------------------------------------------
MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. We’ve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group.
---------------------------------------------
https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html
∗∗∗ Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say ∗∗∗
---------------------------------------------
I pity the spool / Updated / Any celebrations that Microsofts out-of-band patch had put a stop PrintNightmare shenanigans may have been premature.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2021/07/07/printnightmare_fix_fail/
∗∗∗ Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software ∗∗∗
---------------------------------------------
Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseyas customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.
---------------------------------------------
https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
∗∗∗ 3 things the Kaseya attack can teach us about ransomware recovery ∗∗∗
---------------------------------------------
Some lessons on dealing with ransomware recovery, thanks to the admirable transparency of a Dutch MSP impacted by the REvil attack on Kaseya.
---------------------------------------------
https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack-can-teach-us-about-ransomware-recovery/
∗∗∗ Non-Malicious Android Crypto Mining Apps Scam Users at Scale ∗∗∗
---------------------------------------------
With no bad behavior, the mobile apps are difficult to detect by automated security scans
---------------------------------------------
https://www.securityweek.com/non-malicious-android-crypto-mining-apps-scam-users-scale
∗∗∗ Ransomware as a service: Negotiators are now in high demand ∗∗∗
---------------------------------------------
RaaS groups are hiring negotiators whose primary role is to force victims to pay up.
---------------------------------------------
https://www.zdnet.com/article/ransomware-as-a-service-negotiators-between-hackers-and-victims-are-now-in-high-demand/
∗∗∗ Global Phishing Campaign Targets Energy Sector and its Suppliers ∗∗∗
---------------------------------------------
Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign.
---------------------------------------------
https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/
=====================
= Vulnerabilities =
=====================
∗∗∗ Android Patchday Juli ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen.
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0725
∗∗∗ Angreifer können Sicherheitslücken in Ressourcenplanungstool Sage X3 kombinieren ∗∗∗
---------------------------------------------
Systeme mit Sage X3 sind unter anderem über eine kritische Schwachstelle mit Höchstwertung attackierbar.
---------------------------------------------
https://heise.de/-6132418
∗∗∗ Vulnerability Spotlight: Information disclosure, privilege escalation vulnerabilities in IOBit Advanced SystemCare Ultimate ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. IOBit Advanced SystemCare Ultimate is a system optimizer that promises to remove unwanted files and [...]
---------------------------------------------
https://blog.talosintelligence.com/2021/07/vuln-spotlight-iobit0-.html
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi).
---------------------------------------------
https://lwn.net/Articles/862163/
∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: [...]
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisco-releases-security-updates-multiple-products
∗∗∗ Kaseya VSA Limited Disclosure ∗∗∗
---------------------------------------------
Why we are only disclosing limited details on the Kaseya vulnerabilities / Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and [...]
---------------------------------------------
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
∗∗∗ Security Bulletin: CVE-2021-28165 In Eclipse Jetty CPU usage can reach 100% upon receiving a large invalid TLS frame. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-28165-in-eclipse-jetty-cpu-usage-can-reach-100-upon-receiving-a-large-invalid-tls-frame/
∗∗∗ Security Bulletin: CVE-2021-27568 An issue was discovered in netplex json-smart-v1, an exception is thrown from a function ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-27568-an-issue-was-discovered-in-netplex-json-smart-v1-an-exception-is-thrown-from-a-function/
∗∗∗ Security Bulletin: CVE-2021-29711 Agent Upgrade through CLI requires inconsistent permission. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-29711-agent-upgrade-through-cli-requires-inconsistent-permission/
∗∗∗ Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM CICS TX on Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-websphere-application-server-liberty-affects-ibm-cics-tx-on-cloud/
∗∗∗ Security Bulletin: CVE-2020-27223 when Jetty handles a request containing multiple Accept headers the server may enter a denial of service (DoS) state ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-27223-when-jetty-handles-a-request-containing-multiple-accept-headers-the-server-may-enter-a-denial-of-service-dos-state/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list