[CERT-daily] Tageszusammenfassung - 18.05.2021

Daily end-of-shift report team at cert.at
Tue May 18 18:38:32 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 17-05-2021 18:00 − Dienstag 18-05-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Sicherheitsupdate steht noch aus: Root-Lücke in Pulse Connect Secure ∗∗∗
---------------------------------------------
Angreifer könnten VPN Appliances vom Typ Pulse Connect Secure attackieren. Bislang ist nur eine Übergangslösung zu Absicherung verfügbar.
---------------------------------------------
https://heise.de/-6048342


∗∗∗ Unternehmen erhalten gefälschtes Schreiben vom "WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe" ∗∗∗
---------------------------------------------
Zahlreiche UnternehmerInnen erhalten momentan einen Brief vom „WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe“ – angeblich eine Behörde zur Verwaltung von Firmendaten. Im Schreiben werden Sie aufgefordert, Ihre Daten zu überprüfen und ggf. zu korrigieren und zu ergänzen. Tun Sie das keinesfalls – es handelt sich um Betrug. Sie werden in eine Abo-Falle gelockt!
---------------------------------------------
https://www.watchlist-internet.at/news/unternehmen-erhalten-gefaelschtes-schreiben-vom-wd-wirtschaftsdienst-fuer-industrie-handel-gewer/


∗∗∗ Ransomware victim shows why transparency in attacks matters ∗∗∗
---------------------------------------------
As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a companys response to an attack that should be used as a model for all future disclosures.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-victim-shows-why-transparency-in-attacks-matters/


∗∗∗ Codecov hackers gained access to Monday.com source code ∗∗∗
---------------------------------------------
Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies. As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/codecov-hackers-gained-access-to-mondaycom-source-code/


∗∗∗ DarkSide Hits Toshiba; XSS Forum Bans Ransomware ∗∗∗
---------------------------------------------
The criminal forum washed its hands of ransomware after DarkSides pipeline attack & alleged shutdown: A "loss of servers" that didnt stop another attack.
---------------------------------------------
https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/


∗∗∗ From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th) ∗∗∗
---------------------------------------------
I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/27428


∗∗∗ Exploitation of Sharepoint 2016: Simple Things Matter – Case Study ∗∗∗
---------------------------------------------
This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version 16.0.0.4681. I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018). At that point, I started looking for publicly known exploits and research papers.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploitation-of-sharepoint-2016-simple-things-matter-case-study/


∗∗∗ Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic ∗∗∗
---------------------------------------------
During a recent operation, the Red Team got local admin privileges on a workstation where an EDR solution was identified. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access.
---------------------------------------------
https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/


∗∗∗ Scammers Impersonating Windows Defender to Push Malicious Windows Apps ∗∗∗
---------------------------------------------
Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications […]The post Scammers Impersonating Windows Defender to Push Malicious
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating-windows-defender-to-push-malicious-windows-apps/


∗∗∗ CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys ∗∗∗
---------------------------------------------
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Microsoft Internet Information Services (IIS) for Windows. The bug was originally discovered by the Microsoft Platform Security & Vulnerability Research team. The following is a portion of their write-up covering CVE-2021-31166, with a few minimal modifications.
---------------------------------------------
https://www.thezdi.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys



=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-21-594: (0Day) Microsoft Windows JET Database Engine Memory Corruption Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-594/


∗∗∗ About the security content of Boot Camp 6.1.14 ∗∗∗
---------------------------------------------
Impact: A malicious application may be able to elevate privileges 
Description: A memory corruption issue was addressed with improved state management.
---------------------------------------------
https://support.apple.com/en-us/HT212517


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre).
---------------------------------------------
https://lwn.net/Articles/856496/


∗∗∗ Emerson Rosemount X-STREAM ∗∗∗
---------------------------------------------
This advisory contains mitigations for Inadequate Encryption Strength, Unrestricted Upload of File with Dangerous Type, Path Traversal, Use of Persistent Cookies Containing Sensitive Information, Cross-site Scripting, and Improper Restriction of Rendered UI Layers or Frames vulnerabilities for the Rosemount X-STREAM Gas Analyzer.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01


∗∗∗ D-LINK Router: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0536


∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0533


∗∗∗ KLCERT-20-021: Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service ∗∗∗
---------------------------------------------
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-021/


∗∗∗ KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service ∗∗∗
---------------------------------------------
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-020/


∗∗∗ KLCERT-20-019: Moxa NPort IA5000A Series. Passwords stored in plaintext ∗∗∗
---------------------------------------------
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-019/


∗∗∗ KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control ∗∗∗
---------------------------------------------
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-018/


∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Developer for z Systems. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-java-affects-ibm-developer-for-z-systems/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-affect-ibm-netezza-analytics-for-nps/


∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-with-ibm-content-navigator-component-in-ibm-business-automation-workflow-cve-2020-4757-psirt-adv0028011-cve-2020-4934-2/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-postgresql-affect-ibm-connectdirect-web-service-3/


∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-affect-ibm-sterling-connectexpress-for-unix-cve-2021-3449-cve-2021-3450/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list