[CERT-daily] Tageszusammenfassung - 16.03.2021
Daily end-of-shift report
team at cert.at
Tue Mar 16 18:38:07 CET 2021
=====================
= End-of-Day report =
=====================
Timeframe: Montag 15-03-2021 18:30 − Dienstag 16-03-2021 18:30
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ FBI warns of escalating Pysa ransomware attacks on education orgs ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa-ransomware-attacks-on-education-orgs/
∗∗∗ One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 ∗∗∗
---------------------------------------------
We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that [...]
---------------------------------------------
https://msrc-blog.microsoft.com:443/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
∗∗∗ Videokonferenzen: Damit Vertrauliches vertraulich bleibt ∗∗∗
---------------------------------------------
Durch die Corona-Pandemie hat die Nutzung von Videokonferenzlösungen in Verwaltung und Wirtschaft erheblich zugenommen. Die Systeme dienen dabei nicht nur der Kommunikation, sondern auch dem gemeinsamen Erstellen und Bearbeiten von Dokumenten.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/210316_Mindeststandards-Videokonferenzen.html
∗∗∗ Eine Rasterbrille auf ayurreadpro.com kaufen? – Wir raten davon ab! ∗∗∗
---------------------------------------------
Wer online nach Möglichkeiten zur Verbesserung der Sehkraft oder Methoden zum Augentraining sucht, stoßt höchstwahrscheinlich auf Rasterbrillen. Rasterbrillen sind schwarze Kunststoffbrillen mit Lochmuster in den „Gläsern“, die angeblich Sehschwächen vorbeugen und verbessern. Für die Wirksamkeit der knapp 60 Euro-Brille gibt es jedoch keine wissenschaftlich bestätigten Studien. Im Extremfall könnten sogar ernstzunehmende Schäden [...]
---------------------------------------------
https://www.watchlist-internet.at/news/eine-rasterbrille-auf-ayurreadprocom-kaufen-wir-raten-davon-ab/
∗∗∗ Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th) ∗∗∗
---------------------------------------------
Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.
---------------------------------------------
https://isc.sans.edu/diary/rss/27204
∗∗∗ Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks ∗∗∗
---------------------------------------------
A new research has yielded yet another means to pilfer sensitive data by exploiting whats the first "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this [...]
---------------------------------------------
https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html
∗∗∗ Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution ∗∗∗
---------------------------------------------
We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection.
---------------------------------------------
https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonitor-for-remote-code-execution/
∗∗∗ Hackers are targeting telecoms companies to steal 5G secrets ∗∗∗
---------------------------------------------
Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world.
---------------------------------------------
https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-steal-5g-secrets/
∗∗∗ Exploring my doorbell ∗∗∗
---------------------------------------------
Ive talked about my doorbell before, but started looking at it again this week because sometimes it simply doesnt send notifications to my Home Assistant setup - the push notifications appear on my phone, but the doorbell simply doesnt trigger the HTTP callback its meant to[1]. This is obviously suboptimal, but its also tricky to debug a device when you have no access to it.
---------------------------------------------
https://mjg59.dreamwidth.org/56345.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, [...]
---------------------------------------------
https://lwn.net/Articles/849501/
∗∗∗ This years-old Microsoft Office vulnerability is still popular with hackers, so patch now ∗∗∗
---------------------------------------------
Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware.
---------------------------------------------
https://www.zdnet.com/article/this-years-old-microsoft-office-vulnerability-is-still-popular-with-hackers-so-patch-now/
∗∗∗ Aktuelle Zahlen zu den Exchange Schwachstellen in Österreich ∗∗∗
---------------------------------------------
TL;DR
1074 Exchange Server nach wie vor ungepatched (Stand: 2021-03-16). Nach den ersten aktiven Scans zwischen dem 9. und 12. März waren es noch 2236.
Bisher wurden 465 Webshells von Shadowserver und Kryptos Logic in Österreich gefunden.
Die initiale Patch-Disziplin war anscheinend hoch.
Wenn möglich, Microsofts Script unter https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt zum Finden und Mitigieren von Webshells [...]
---------------------------------------------
https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwachstellen-in-osterreich
∗∗∗ Advantech WebAccess/SCADA ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Cross-site Scripting vulnerability in Advantech WebAccess/SCADA browser-based software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-01
∗∗∗ GE UR family ∗∗∗
---------------------------------------------
This advisory contains mitigations for multiple vulnerabilities in GE UR family of protection and control relays.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02
∗∗∗ Hitachi ABB Power Grids AFS Series ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Infinite Loop vulnerability in Hitachi ABB Power Grids AFS Series products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-03
∗∗∗ BD Alaris 8015 PC Unit (Update B) ∗∗∗
---------------------------------------------
[...] This advisory contains compensating controls to reduce the risk of exploitation of insufficiently protected credentials and security features vulnerabilities in BD Alaris 8015 Point of Care units, which provide a common user interface for programming [...]
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02
∗∗∗ DP API encryption ineffective in Windows containers: Publicly Available Cryptographic Keys (CVE-2021-1645) ∗∗∗
---------------------------------------------
We recently discovered a vulnerability in the DP API key management of Windows containers. This vulnerability was assigned CVE-2021-1645 by Microsoft [1] and allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. This vulnerability was discovered in close cooperation with SignPath [2].
---------------------------------------------
https://certitude.consulting/blog/en/windows-docker-dp-api-vulnerability-cve-2021-1645/
∗∗∗ Apache Tomcat vulnerability CVE-2021-25329 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K73648110
∗∗∗ Apache Tomcat vulnerability CVE-2021-25122 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K00174195
∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0276
∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0275
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-6/
∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-affect-powersc-cve-2020-8284-cve-2020-8285-and-cve-2020-8286/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-aix-5/
∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-spectrum-scale-gui-2/
∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in Libxml2 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-management-module-cmm-is-affected-by-vulnerabilities-in-libxml2/
∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into log files (CVE-2020-4851) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-spectrum-scale-allows-to-inject-malicious-content-into-log-files-cve-2020-4851/
∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Spectrum Scale ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-se-affects-ibm-spectrum-scale/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list