[CERT-daily] Tageszusammenfassung - 04.05.2021
Daily end-of-shift report
team at cert.at
Tue May 4 18:20:21 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Montag 03-05-2021 18:00 − Dienstag 04-05-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Webkit: Apple warnt vor Zero Days in iOS und MacOS ∗∗∗
---------------------------------------------
Die Apple-Lücken in Webkit werden wohl bereits aktiv ausgenutzt. Das Unternehmen stellt Updates bereit.
---------------------------------------------
https://www.golem.de/news/webkit-apple-warnt-vor-zero-days-in-ios-2105-156227-rss.html
∗∗∗ 21Nails vulnerabilities impact 60% of the internet’s email servers ∗∗∗
---------------------------------------------
The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors.
---------------------------------------------
https://therecord.media/21nails-vulnerabilities-impact-60-of-the-internets-email-servers/
∗∗∗ Pingback: Backdoor At The End Of The ICMP Tunnel ∗∗∗
---------------------------------------------
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/
∗∗∗ RM3 - Curiosities of the wildest banking malware ∗∗∗
---------------------------------------------
TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis [...]
---------------------------------------------
https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/
∗∗∗ Firebase Domain Front - Hiding C2 as App traffic ∗∗∗
---------------------------------------------
We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters
---------------------------------------------
https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding-c2-as-app-traffic
∗∗∗ Jetzt patchen! Sicherheitsupdate für Pulse Connect Secure verfügbar ∗∗∗
---------------------------------------------
In einer aktualisierten Version der VPN-Software Pulse Connect Secure von Ivanti haben die Entwickler kritische Lücken geschlossen.
---------------------------------------------
https://heise.de/-6035501
∗∗∗ ATT&CK v9 Introduces Containers, Google Workspace ∗∗∗
---------------------------------------------
MITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform.
---------------------------------------------
https://www.securityweek.com/attck-v9-introduces-containers-google-workspace
∗∗∗ Anzügliche Sex-Nachrichten auf Facebook & Instagram: Dahinter steckt Betrug ∗∗∗
---------------------------------------------
Facebook- und Instagram-NutzerInnen kennen es: Freundschaftsanfragen oder Nachrichten von unbekannten, meist freizügig gekleideten Frauen. Auf Instagram werden NutzerInnen auch sehr häufig zu fragwürdigen Gruppen hinzugefügt oder von Unbekannten auf Bildern markiert. Dahinter stecken Fake-Profile oder Bots, die auf unseriöse Dating-Portale locken, Daten sammeln oder nach Zugangsdaten fischen.
---------------------------------------------
https://www.watchlist-internet.at/news/anzuegliche-sex-nachrichten-auf-facebook-instagram-dahinter-steckt-betrug/
∗∗∗ Three new malware families found in global finance phishing campaign ∗∗∗
---------------------------------------------
Doubledrag, Doubledrop, and Doubleback are the work of “experienced” threat actors.
---------------------------------------------
https://www.zdnet.com/article/researchers-find-three-new-malware-families-used-in-global-finance-phishing-campaign/
=====================
= Vulnerabilities =
=====================
∗∗∗ Aktiv ausgenutzte Lücken: Apple patcht iOS, macOS und watchOS ∗∗∗
---------------------------------------------
macOS 11.3.1, iOS 14.5.1 und watchOS 7.4.1 beheben ein akutes Sicherheitsproblem in Safari. Außerdem wird ein Bug beim iPhone-App-Tracking-Schutz gefixt.
---------------------------------------------
https://heise.de/-6035220
∗∗∗ Android-Patchday: Kritische System-Lücke gibt Angreifern die volle Kontrolle ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen.
---------------------------------------------
https://heise.de/-6035560
∗∗∗ Xen Security Advisory CVE-2021-28689 / XSA-370 - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests ∗∗∗
---------------------------------------------
A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack against Xen, despite the presence hardware protections being active. It therefore might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-370.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba).
---------------------------------------------
https://lwn.net/Articles/855308/
∗∗∗ High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices ∗∗∗
---------------------------------------------
Owners of Dell devices were informed on Tuesday that a firmware update driver present on a large number of systems is affected by a series of high-severity vulnerabilities.
---------------------------------------------
https://www.securityweek.com/high-severity-dell-driver-vulnerabilities-impact-hundreds-millions-devices
∗∗∗ Synology-SA-21:18 Hyper Backup ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Hyper Backup.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_18
∗∗∗ Security Bulletin: Go is vulnerable to a denial of service on IBM Watson Machine Learning on CP4D ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-a-denial-of-service-on-ibm-watson-machine-learning-on-cp4d/
∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with segmentation fault on IBM Watson Machine Learning on CP4D ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-with-segmentation-fault-on-ibm-watson-machine-learning-on-cp4d/
∗∗∗ Security Bulletin: GO is vulnerable to allows attacks on clients on IBM Watson Machine Learning on CP4D ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-allows-attacks-on-clients-on-ibm-watson-machine-learning-on-cp4d/
∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-aix-cve-2021-23839-cve-2021-23840-and-cve-2021-23841-2/
∗∗∗ Security Bulletin: A vulnerability exists in the management GUI of the IBM FlashSystem 900 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-the-management-gui-of-the-ibm-flashsystem-900/
∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning on CP4D ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-with-denial-of-service-on-ibm-watson-machine-learning-on-cp4d/
∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-with-denial-of-service-on-ibm-watson-machine-learning-server/
∗∗∗ Security Bulletin: TensorFlow is vulnerable to a heap-based buffer overflow on IBM Watson Machine Learning on CP4D ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-is-vulnerable-to-a-heap-based-buffer-overflow-on-ibm-watson-machine-learning-on-cp4d/
∗∗∗ Security Bulletin: GO security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-go-security-vulnerabilities-on-ibm-watson-machine-learning-server/
∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3049, CVE-2021-3050) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-affect-ibm-sterling-connectexpress-for-unix-cve-2021-3049-cve-2021-3050/
∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-cve-2021-20454-2/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list