[CERT-daily] Tageszusammenfassung - 17.06.2021

Daily end-of-shift report team at cert.at
Thu Jun 17 18:10:41 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 16-06-2021 18:00 − Donnerstag 17-06-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Criminals are mailing hacked Ledger devices to steal cryptocurrency ∗∗∗
---------------------------------------------
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.
---------------------------------------------
https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-hacked-ledger-devices-to-steal-cryptocurrency/


∗∗∗ Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th) ∗∗∗
---------------------------------------------
The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.
---------------------------------------------
https://isc.sans.edu/diary/rss/27536


∗∗∗ Top 5 ICS Incident Response Tabletops and How to Run Them ∗∗∗
---------------------------------------------
In this blog SANS instructor, Dean Parsons, discusses the top five ICS incident response table tops and how to run them. How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against Ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure?
---------------------------------------------
https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them?msc=rss


∗∗∗ What you need to know about Process Ghosting, a new executable image tampering attack ∗∗∗
---------------------------------------------
This blog describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).
---------------------------------------------
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack


∗∗∗ Google schickt Framework gegen Supply-Chain-Angriffe ins Rennen ∗∗∗
---------------------------------------------
SLSA soll die Integrität von Code vom Einchecken ins Repository über den Build-Prozess bis zum Verwenden von Paketen sicherstellen.
---------------------------------------------
https://heise.de/-6073057


∗∗∗ Cybercriminals go after Amazon Prime Day Shoppers ∗∗∗
---------------------------------------------
- In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious
- Almost 1 out of 2 (46%) of new domains registered containing the word “Amazon” are malicious
- Almost 1 out of 3 (32%) of new domains registered with the word “Amazon” are deemed suspicious
---------------------------------------------
https://blog.checkpoint.com/2021/06/16/cybercriminals-go-after-amazon-prime-day-shoppers/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Hitachi Application Server Help vulnerable cross-site scripting ∗∗∗
---------------------------------------------
The following products are affected by the vulnerability.
* Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier
* Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier
Solution: Apply the appropriate latest version of the help according to the information provided by the developer.
---------------------------------------------
https://jvn.jp/en/jp/JVN03776901/


∗∗∗ Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015 ∗∗∗
---------------------------------------------
Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didnt make it into Drupal Core 8.0.x and port them.The module doesnt sufficiently handle block access control on its EntityView plugin.
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-015


∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017 ∗∗∗
---------------------------------------------
This module provides a revision UI to Block Content entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-017


∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016 ∗∗∗
---------------------------------------------
This module provides a revision UI to Linky entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-016


∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco hat Security Advisories zu acht Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, vier als "High".
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F06%2F16&firstPublishedEndDate=2021%2F06%2F16


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (gnupnp and postgresql), Fedora (dino, microcode_ctl, and xen), Mageia (apache, gsoap, libgd, openssh, perl-Image-ExifTool, python-bleach, and qt4 and qtsvg5), openSUSE (chromium, containerd, docker, runc, djvulibre, htmldoc, kernel, libjpeg-turbo, libopenmpt, libxml2, spice, squid, and ucode-intel), Red Hat (dhcp and glib2), SUSE (apache2, inn, java-1_8_0-openjdk, and webkit2gtk3), and Ubuntu (nettle).
---------------------------------------------
https://lwn.net/Articles/860128/


∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0666


∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service oder Cross Site Scripting Angriff durchzuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0669


∗∗∗ Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-icu-vulnerability-affects-ibm-control-center-cve-2020-10531/


∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Java vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-cloud-pak-for-data-might-be-affected-by-some-underlying-java-vulnerabilities/


∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying WebSphere Liberty vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-cloud-pak-for-data-might-be-affected-by-some-underlying-websphere-liberty-vulnerabilities/


∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-password-synchronization-plug-in-for-windows-ad-affected-by-multiple-vulnerabilities-cve-2021-20483-cve-2021-20488-2/


∗∗∗ Security Bulletin: Vulnerability in the AIX trace facility (CVE-2021-29706) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-trace-facility-cve-2021-29706/


∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-oracle-mysql-2/


∗∗∗ Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-jasperreports-vulnerabilities-affect-ibm-control-center-cve-2020-9410-cve-2018-18809/


∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-java-batch-is-vulnerable-to-an-xml-external-entity-injection-xxe-vulnerability-cve-2021-20492-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list