[CERT-daily] Tageszusammenfassung - 05.03.2021

Daily end-of-shift report team at cert.at
Fri Mar 5 18:23:40 CET 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 04-03-2021 18:30 − Freitag 05-03-2021 18:30
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Microsoft: Exchange updates can install without fixing vulnerabilities ∗∗∗
---------------------------------------------
Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-can-install-without-fixing-vulnerabilities/


∗∗∗ D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant ∗∗∗
---------------------------------------------
A new variant of the Gafgyt botnet - thats actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say.
---------------------------------------------
https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/


∗∗∗ QNAP NAS users, make sure you check your system ∗∗∗
---------------------------------------------
On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.
---------------------------------------------
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/


∗∗∗ Spam Farm Spotted in the Wild, (Fri, Mar 5th) ∗∗∗
---------------------------------------------
If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails.
---------------------------------------------
https://isc.sans.edu/diary/rss/27170


∗∗∗ Kampf der Excel-Schadsoftware: AMSI gegen verseuchten XML-Code ∗∗∗
---------------------------------------------
Microsoft baut sein Antimalware Scan Interface (AMSI) aus. Neben VBA- kann es jetzt auch XML-Code scannen.
---------------------------------------------
https://heise.de/-5073364


∗∗∗ QNAPCrypt and SunCrypt Ransomware Connection ∗∗∗
---------------------------------------------
Intezer has published a blog posting that provides an analysis of the connections between the QNAPCrypt and SunCrypt ransomware. SunCrypt is affiliate ransomware service while QNAPCrypt surfaced in 2019 and was used to target devices from QNAP and Synology. The analysis concludes that the current SunCrypt ransomware shares many similarities [...]
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/75ee68a919cad9c434c63bfb0e3f2b2f


∗∗∗ GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence ∗∗∗
---------------------------------------------
Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM - the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Grub 2: Acht neue Schwachstellen im Bootloader ∗∗∗
---------------------------------------------
Die Entwickler von Grub 2 haben mehrere Lücken gemeldet. Einige davon können erneut Secure Boot aushebeln, was den Update-Prozess deutlich verkompliziert.
---------------------------------------------
https://heise.de/-5073481


∗∗∗ Benchmarking-Tool VMware View Planner ist für Schadcode anfällig ∗∗∗
---------------------------------------------
Es gibt ein wichtiges Sicherheitsupdate für VMware View Planner. Unter bestimmten Voraussetzungen könnten Angreifer eigene Befehle ausführen.
---------------------------------------------
https://heise.de/-5073000


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).
---------------------------------------------
https://lwn.net/Articles/848416/


∗∗∗ Supermicro, Pulse Secure Respond to Trickbots Ability to Target Firmware ∗∗∗
---------------------------------------------
Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware.
---------------------------------------------
https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-ability-target-firmware


∗∗∗ ICS-CERT Advisories March 04 2021 ∗∗∗
---------------------------------------------
The ICS-CERT has published 2 advisories that affect Rockwell Automation 1734-AENTR Series B and Series C, and Schneider Electric EcoStruxure Building Operation (EBO). Further information is available from the advisories which are summarised below. 
https://us-cert.cisa.gov/ics/advisories/icsa-21-063-01 
https://us-cert.cisa.gov/ics/advisories/icsa-21-063-02 
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/32af714c7074693f32dfa23b26366c8a


∗∗∗ BIND vulnerability CVE-2020-8625 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K13591074?utm_source=f5support&utm_medium=RSS


∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0238


∗∗∗ Security Bulletin: Google-api-client as used by IBM QRadar SIEM is vulnerable to authorization bypass (CVE-2020-7692) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used-by-ibm-qradar-siem-is-vulnerable-to-authorization-bypass-cve-2020-7692-2/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-python-3/


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (March 2021) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-march-2021/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-connectdirect-web-services-2/


∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-ibm-websphere-application-server-shipped-with-ibm-storediq-for-legal/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list