[CERT-daily] Tageszusammenfassung - 01.06.2021

Tue Jun 1 18:23:59 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 31-05-2021 18:00 − Dienstag 01-06-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Firefox 89 und ESR 78.11: Neue Browser-Versionen, neue Sicherheits-Updates ∗∗∗
---------------------------------------------
Das Mozilla-Team hat den frisch erschienenen Firefox-Versionen neben neuen Features auch Schwachstellen-Patches spendiert.
---------------------------------------------
https://heise.de/-6059513


∗∗∗ Kroatien Urlaub geplant? Nehmen Sie sich vor kostenpflichtigen Registrierungsseiten wie enter-croatia.com in Acht! ∗∗∗
---------------------------------------------
Viele ÖsterreicherInnen freuen sich darauf, endlich wieder nach Kroatien zu fahren. Durch die COVID-19-Pandemie gelten jedoch strengere Einreisebestimmungen, wie die Empfehlung einer kostenlosen Online-Registrierung. Anbieter wie die Visa Gate GmbH nutzen die Unsicherheit vieler TouristInnen aus und stellen kostenpflichtige Registrierungsseiten ins Netz. Wir empfehlen Ihnen, die (freiwillige) Online-Registrierung nicht über enter-croatia.com vorzunehmen!
---------------------------------------------
https://www.watchlist-internet.at/news/kroatien-urlaub-geplant-nehmen-sie-sich-vor-kostenpflichtigen-registrierungsseiten-wie-enter-croati/


∗∗∗ Windows 10s package manager flooded with duplicate, malformed apps ∗∗∗
---------------------------------------------
Microsofts Windows 10 package manager Wingets GitHub has been flooded with duplicate apps and malformed manifest files raising concerns among developers with regards to the integrity of apps.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-10s-package-manager-flooded-with-duplicate-malformed-apps/


∗∗∗ Quick and dirty Python: nmap, (Mon, May 31st) ∗∗∗
---------------------------------------------
Continuing on from the "Quick and dirty Python: masscan" diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443. Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running.
---------------------------------------------
https://isc.sans.edu/diary/rss/27480


∗∗∗ Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st) ∗∗∗
---------------------------------------------
We recently identified a new Guildma/Astaroth campaign targeting South America, mainly Brazil, using a new variant of the malware. Guildma is known by its multiple-staged infection chain and evasion techniques to reach victim’s data and exfiltrate them. In a previous diary [1] at Morphus Labs, we analyzed a Guildma variant which employed an innovative strategy to stay active, using Facebook and YouTube to get a new list of its C2 servers.
---------------------------------------------
https://isc.sans.edu/diary/rss/27482


∗∗∗ Evadere Classifications ∗∗∗
---------------------------------------------
The term evasion is derived from the Latin word "evadere" which means - "To escape, to get away." The DOD defines evasion as - "The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control." [...] This made me think - what does evasion or bypass truly mean? Are there different categories that these evasion techniques fit into? Lastly, if these techniques are to fit into categories - how can detection engineers leverage these for engagements?
---------------------------------------------
https://posts.specterops.io/evadere-classifications-8851a429c94b


∗∗∗ Revisiting the NSIS-based crypter ∗∗∗
---------------------------------------------
In this blog we look at the constantly evolving NSIS crypter which malware authors have been leveraging as a flexible tool to pack and encrypt their samples.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/


∗∗∗ TeamTNT botnet makes 50,000 victims over the last three months ∗∗∗
---------------------------------------------
TeamTNT, a crypto-mining botnet specialized in infecting misconfigured Docker and Kubernetes platforms, has compromised more than 50,000 systems over the last three months, between March and May 2021, security firm Trend Micro said last week.
---------------------------------------------
https://therecord.media/teamtnt-botnet-makes-50000-victims-over-the-last-three-months/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 ∗∗∗
---------------------------------------------
On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of this vulnerability, see lasso.git NEWS. This advisory will be updated as additional information becomes available.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lasso-saml-jun2021-DOXNRLkD


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cflow, chromium, eterm, gnutls, and kernel), Mageia (kernel and kernel-linus), Oracle (glib2), Red Hat (glib2, kernel, kernel-rt, and kpatch-patch), SUSE (curl, djvulibre, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, nginx, python-httplib2, and slurm), and Ubuntu (gupnp, libwebp, postgresql-10, postgresql-12, postgresql-13, and python3.8).
---------------------------------------------
https://lwn.net/Articles/857830/


∗∗∗ Security Bulletin: A format string security vulnerability has been identified in IBM Spectrum Scale (CVE-2021-29740) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-format-string-security-vulnerability-has-been-identified-in-ibm-spectrum-scale-cve-2021-29740/


∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily