[CERT-daily] Tageszusammenfassung - 29.07.2021
Daily end-of-shift report
team at cert.at
Thu Jul 29 18:15:11 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 28-07-2021 18:00 − Donnerstag 29-07-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Verschlüsselung: Windows-Verschlüsselung Bitlocker trotz TPM-Schutz umgangen ∗∗∗
---------------------------------------------
Eine mit Bitlocker verschlüsselte SSD mit TPM-Schutz lässt sich relativ einfach knacken. Ein Passwort schützt, ist aber nicht der Standard.
---------------------------------------------
https://www.golem.de/news/verschluesselung-windows-verschluesselung-bitlocker-trotz-tpm-schutz-umgangen-2107-158524-rss.html
∗∗∗ Voucher von EUSC 2021 für kostenlose Hotelübernachtungen? Versteckte Kosten! ∗∗∗
---------------------------------------------
Auf Facebook und Instagram wird von „EUCS 2021“ eine Umfrage zu Tourismuspräferenzen beworben. Als Dankeschön für die Teilnahme wird ein Voucher für 3 kostenlose Übernachtungen für 2 Personen versprochen. Beim Einlösen dieses Gutscheins werden jedoch unterschiedliche Gebühren fällig.
---------------------------------------------
https://www.watchlist-internet.at/news/voucher-von-eusc-2021-fuer-kostenlose-hoteluebernachtungen-versteckte-kosten/
∗∗∗ Microsoft Security Update Revisions (29. Juli 2021) ∗∗∗
---------------------------------------------
Kurzinformation für Windows-Admins im Firmenumfeld. Microsoft hat die Nacht zum 29.7.2021 revidierte Sicherheitsupdates zur Abschwächung der NTLM Relay Attacken auf Active Directory-Zertifikate und zur Schwachstelle CVE-2021-36934 (Windows Elevation of Privilege Vulnerability) veröffentlicht. Ich stelle es man unkommentiert hier zur Info [...]
---------------------------------------------
https://www.borncity.com/blog/2021/07/29/microsoft-security-update-revisions-29-juli-2021/
∗∗∗ DoppelPaymer ransomware gang rebrands as the Grief group ∗∗∗
---------------------------------------------
After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-gang-rebrands-as-the-grief-group/
∗∗∗ Tools To Quickly Extract Indicators of Compromise ∗∗∗
---------------------------------------------
Brush up on indicators of compromise, their relationship to your internal threat intelligence, and tools to help you quickly extract them from PDFs and plain text.
---------------------------------------------
https://www.domaintools.com/resources/blog/tools-to-quickly-extract-indicators-of-compromise
∗∗∗ APT trends report Q2 2021 ∗∗∗
---------------------------------------------
This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.
---------------------------------------------
https://securelist.com/apt-trends-report-q2-2021/103517/
∗∗∗ Reboot of PunkSpider Tool at DEF CON Stirs Debate ∗∗∗
---------------------------------------------
Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON.
---------------------------------------------
https://threatpost.com/punkspider-def-con-debate/168223/
∗∗∗ Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them ∗∗∗
---------------------------------------------
Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them.
---------------------------------------------
https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/
∗∗∗ BazaCall: Phony call centers lead to exfiltration and ransomware ∗∗∗
---------------------------------------------
Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
∗∗∗ Malicious Content Delivered Through archive.org, (Thu, Jul 29th) ∗∗∗
---------------------------------------------
archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself.
---------------------------------------------
https://isc.sans.edu/diary/rss/27688
∗∗∗ Stylish Magento Card Stealer loads Without Script Tags ∗∗∗
---------------------------------------------
Recently one of our analysts, Weston H., found a very interesting credit card stealer in a Magento environment which loads a malicious JavaScript without using any script tags. In this post I will go over how it was found, how to decode it and how it works!
---------------------------------------------
https://blog.sucuri.net/2021/07/stylish-magento-card-stealer-loads-without-script-tags.html
∗∗∗ Crimea "manifesto" deploys VBA Rat using double attack vectors ∗∗∗
---------------------------------------------
On July 21, 2021, we identified a suspicious document named "Манифест.docx" ("Manifest.docx") that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery.
---------------------------------------------
https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/
∗∗∗ “Netfilter Rootkit II ” Continues to Hold WHQL Signatures ∗∗∗
---------------------------------------------
Recently, 360 Security Center discovered that a malicious driver “Netfilter rootkit” with WHQL signature was revealed in mid-June. WHQL signature means that after the [...]
---------------------------------------------
https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/
∗∗∗ Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers ∗∗∗
---------------------------------------------
Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone
---------------------------------------------
https://www.securityweek.com/turn-turn-simple-step-can-thwart-top-phone-hackers
∗∗∗ McAfee: Babuk ransomware decryptor causes encryption beyond repair ∗∗∗
---------------------------------------------
Babuk announced earlier this year that it would be targeting Linux/UNIX and ESXi or VMware systems with ransomware.
---------------------------------------------
https://www.zdnet.com/article/mcafee-babuk-ransomware-decryptor-causes-encryption-beyond-repair/
∗∗∗ New Android malware records smartphones via VNC to steal passwords ∗∗∗
---------------------------------------------
Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record a victims smartphone screen in order to collect and steal their passwords.
---------------------------------------------
https://therecord.media/new-android-malware-records-smartphones-via-vnc-to-steal-passwords/
∗∗∗ Communication during a hacker attack ∗∗∗
---------------------------------------------
You cannot trust your office PC during a major incident. You can neither trust your usual communication and collaboration tools. If an attacker can authenticate on any domain-joined device with any domain user, the game is over.
---------------------------------------------
https://securityguide.me/issues/communication-during-a-hacker-attack
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-21-909: (0Day) Microsoft 3D Viewer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft 3D Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-909/
∗∗∗ Drupal: Wichtiges Sicherheitsupdate für "Pages Restriction Access"-Modul ∗∗∗
---------------------------------------------
Ein Update für "Pages Restriction Access" für die 8er-Versionsreihe des CMS Drupal beseitigt Zugriffsmöglichkeiten über eine kritische Sicherheitslücke.
---------------------------------------------
https://heise.de/-6150416
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and [...]
---------------------------------------------
https://lwn.net/Articles/864577/
∗∗∗ Tomcat vulnerability CVE-2021-30640 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K35033051
∗∗∗ Apache Tomcat vulnerability CVE-2021-30639 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K87895241
∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affects-ibm-infosphere-information-server/
∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27219) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affects-ibm-elastic-storage-system-cve-2021-27219/
∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Elastic Storage System (CVE-2020-5258) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-elastic-storage-system-cve-2020-5258/
∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-14/
∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-20505 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-is-being-released-to-address-cve-2021-20505/
∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-spectrum-scale-2/
∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-fixed-in-openssl-as-shipped-with-ibm-security-verify-products/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list