[CERT-daily] Tageszusammenfassung - 03.03.2021
Daily end-of-shift report
team at cert.at
Wed Mar 3 19:17:01 CET 2021
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-03-2021 18:00 − Mittwoch 03-03-2021 18:30
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Qakbot infection with Cobalt Strike, (Wed, Mar 3rd) ∗∗∗
---------------------------------------------
On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.
---------------------------------------------
https://isc.sans.edu/diary/rss/27158
∗∗∗ Qualys hit with ransomware: Customer invoices leaked on extortionists Tor blog ∗∗∗
---------------------------------------------
Ace infosec biz aware and investigating, were told Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2021/03/03/qualys_ransomware_clop_gang/
∗∗∗ „Urlaubsguru ReiseWelt“ bewirbt Fake-Reiseangebote auf Facebook und Instagram ∗∗∗
---------------------------------------------
12 Nächte Malediven oder zwei Wochen Thailand? Und das zu einem unschlagbaren Preis und mit der Versicherung 48 Stunden vor der Reise kostenlos stornieren zu können? Das klingt zu gut, um wahr zu sein? Ist es in diesem Fall auch. Auf Facebook und Instagram bewirbt der betrügerische Anbieter „Urlaubsguru ReiseWelt“ unglaubliche Angebote. Doch statt der versprochenen Traumreise, wird Ihnen nur das Geld gestohlen.
---------------------------------------------
https://www.watchlist-internet.at/news/urlaubsguru-reisewelt-bewirbt-fake-reiseangebote-auf-facebook-und-instagram/
∗∗∗ Threat Actor Group Cloud Atlas Tracked by DomainTools Researchers ∗∗∗
---------------------------------------------
Researchers from DomainTools continue to see an APT group known as Cloud Atlas (also known as Inception) run campaigns which primarily focus on targeting countries formerly part of the Soviet Union with an emphasis on energy and political themes.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/ca6c08f0161ffd21cad662b80fa63cef
=====================
= Vulnerabilities =
=====================
∗∗∗ Android-Patchday: Kritische Remote-Sicherheitslücke aus Betriebssystem beseitigt ∗∗∗
---------------------------------------------
Zum Patchday im März hat Google unter anderem mehrere kritische Sicherheitslücken aus Android entfernt. Pixel-Geräte erhalten zahlreiche Zusatz-Patches.
---------------------------------------------
https://heise.de/-5070821
∗∗∗ Medium Severity Vulnerability Patched in User Profile Picture Plugin ∗∗∗
---------------------------------------------
On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information.
---------------------------------------------
https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).
---------------------------------------------
https://lwn.net/Articles/848089/
∗∗∗ Kritische Sicherheitslücken in Microsoft Exchange Server - Patches verfügbar ∗∗∗
---------------------------------------------
Microsoft hat außerhalb des üblichen Update-Zyklus mehrere Patches für Microsoft Exchange zur Verfügung gestellt. Einige der darin behobenen Sicherheitslücken werden nach Angaben von Microsoft und der IT-Sicherheits-Firma Volexity bereits aktiv ausgenutzt.
---------------------------------------------
https://cert.at/de/warnungen/2021/3/kritische-sicherheitslucken-in-microsoft-exchange-server-patches-verfugbar
∗∗∗ Side Channel Key Extraction Vulnerability in Bosch IP Cameras and Encoders ∗∗∗
---------------------------------------------
BOSCH-SA-762869-BT: A recently discovered side channel attack for the NXP P5x security microcontrollers was made public. It allows attackers to extract an ECDSA private key after extensive physical access to the chip.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-762869-bt.html
∗∗∗ Cisco Security Advisories - March 3rd, 2021 ∗∗∗
---------------------------------------------
Cisco has published thirteen Security Advisories. Of the advisories, one is rated as High and twelve are rated as Medium. For all advisories listed below, it is noted that Ciscos Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities" [...]
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/a3892fab975bdb6f39d025581dba227c
∗∗∗ SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability ∗∗∗
---------------------------------------------
https://success.trendmicro.com/solution/000285675
∗∗∗ Security Bulletin: IBM Security Verify Bridge uses a hard-coded key to encrypt the client secret (CVE-2021-20442) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridge-uses-a-hard-coded-key-to-encrypt-the-client-secret-cve-2021-20442/
∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js proxy library that has a known vulnerability (183561) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-uses-a-node-js-proxy-library-that-has-a-known-vulnerability-183561/
∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os-version-supported/
∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-cross-site-scripting-vulnerability-2/
∗∗∗ Security Bulletin: IBM Security Verify Bridge uses relatively weak cryptographic algorithms in two of its functions (CVE-2021-20441) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridge-uses-relatively-weak-cryptographic-algorithms-in-two-of-its-functions-cve-2021-20441/
∗∗∗ Security Bulletin: Android Mobile SDK compile builder includes vulnerable components ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-android-mobile-sdk-compile-builder-includes-vulnerable-components/
∗∗∗ VMSA-2021-0003 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0003.html
∗∗∗ Linux nfsd kernel vulnerability CVE-2020-24394 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K04553557?utm_source=f5support&utm_medium=RSS
∗∗∗ Hitachi ABB Power Grids Ellipse EAM ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-061-01
∗∗∗ Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-061-02
∗∗∗ MB connect line mbCONNECT24, mymbCONNECT24 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-061-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list