[CERT-daily] Tageszusammenfassung - 28.05.2021
Daily end-of-shift report
team at cert.at
Fri May 28 18:16:34 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-05-2021 18:00 − Freitag 28-05-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ FBI to share compromised passwords with Have I Been Pwned ∗∗∗
---------------------------------------------
The FBI will soon begin to share compromised passwords with Have I Been Pwneds Password Pwned service that were discovered during law enforcement investigations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-passwords-with-have-i-been-pwned/
∗∗∗ Ransomware gangs slow decryptors prompt victims to seek alternatives ∗∗∗
---------------------------------------------
Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victims network.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryptors-prompt-victims-to-seek-alternatives/
∗∗∗ Tracking BokBot (a.k.a. IcedID) Infrastructure ∗∗∗
---------------------------------------------
BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware.
---------------------------------------------
https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/
∗∗∗ Malicious PowerShell Hosted on script.google.com, (Fri, May 28th) ∗∗∗
---------------------------------------------
Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/27468
∗∗∗ Jetzt patchen! Kritische Lücke in HPE SIM geschlossen ∗∗∗
---------------------------------------------
Es ist ein wichtiges Sicherheitsupdate für Hewlett Packard Enterprise Systems Insight Manager (SIM) erschienen.
---------------------------------------------
https://heise.de/-6056415
∗∗∗ Falsifying and weaponizing certified PDFs ∗∗∗
---------------------------------------------
Certified PDFs are supposed to control modifications so that recipients know they havent been tampered with. It doesnt always work.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/falsifying-and-weaponizing-certified-pdfs/
∗∗∗ Do you know your OpSec? ∗∗∗
---------------------------------------------
Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/do-you-know-your-opsec/
∗∗∗ Urlaubsreif? Buchen Sie nicht über ferienhauspartner.co, fewopartner.co, holidaypartner.co & ferienpartner.co! ∗∗∗
---------------------------------------------
Sind Sie auf der Suche nach ein Urlaubsdomizil für den nahenden Sommer? Wenn ja, könnten Sie auf betrügerische Webseiten stoßen. Denn Kriminelle bieten derzeit Ferienhäuser und Ferienwohnungen in Deutschland und Dänemark an, die per Vorkasse gebucht werden können. Doch Vorsicht: Das bezahlte Geld landet direkt in den Händen der Kriminellen, eine aufrechte Buchung gibt es nicht!
---------------------------------------------
https://www.watchlist-internet.at/news/urlaubsreif-buchen-sie-nicht-ueber-ferienhauspartnerco-fewopartnerco-holidaypartnerco-ferienp/
∗∗∗ MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone ∗∗∗
---------------------------------------------
To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes.
---------------------------------------------
https://www.riskiq.com/blog/external-threat-management/mobile-inter/
∗∗∗ Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat ∗∗∗
---------------------------------------------
A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape.
---------------------------------------------
https://unit42.paloaltonetworks.com/docker-honeypot/
∗∗∗ CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier ∗∗∗
---------------------------------------------
In April 2021, the ZDI received a Linux kernel submission that turned out to be an incorrect bounds calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. This bug was submitted to the program by Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf). Manfred Paul had successfully exploited two other eBPF verifier bugs in Pwn2Own 2020 and 2021 respectively.
---------------------------------------------
https://www.thezdi.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier
∗∗∗ The Race to Native Code Execution in PLCs ∗∗∗
---------------------------------------------
Claroty has found a severe memory protection bypass vulnerability (CVE-2020-15782) in Siemens PLCs, the SIMATIC S7-1200 and S7-1500. An attacker could abuse this vulnerability on PLCs with disabled access protection to gain read and write access anywhere on the PLC and remotely execute malicious code.
---------------------------------------------
https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-in-plcs/
∗∗∗ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns ∗∗∗
---------------------------------------------
On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs, Research Institutions, Government Agencies, International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL [...]
---------------------------------------------
https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
=====================
= Vulnerabilities =
=====================
∗∗∗ SonicWall urges customers to immediately patch NSM On-Prem bug ∗∗∗
---------------------------------------------
SonicWall urges customers to immediately patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sonicwall-urges-customers-to-immediately-patch-nsm-on-prem-bug/
∗∗∗ SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families ∗∗∗
---------------------------------------------
SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-434534.txt
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (nginx), Fedora (chromium, curl, kernel, php-symfony3, php-symfony4, python-lxml, python-pip, and runc), Mageia (ceph and wireshark), openSUSE (mpv), Oracle (bind, idm:DL1, redis:6, slapi-nis, squid:4, and xorg-x11-server), SUSE (curl, nginx, postgresql10, postgresql12, postgresql13, slurm, slurm_18_08, and slurm_20_11), and Ubuntu (nginx).
---------------------------------------------
https://lwn.net/Articles/857581/
∗∗∗ Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M ∗∗∗
---------------------------------------------
BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https. If a software update is not [...]
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-websphere-extreme-scale-liberty-deployment/
∗∗∗ Security Bulletin: Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-affecting-watson-knowledge-catalog-for-ibm-cloud-pak-for-data/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list