[CERT-daily] Tageszusammenfassung - 17.11.2021
Daily end-of-shift report
team at cert.at
Wed Nov 17 18:35:33 CET 2021
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 16-11-2021 18:00 − Mittwoch 17-11-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ These are the cryptomixers hackers use to clean their ransoms ∗∗∗
---------------------------------------------
Cryptomixers have always been at the epicenter of cybercrime activity, allowing hackers to "clean" cryptocurrency stolen from victims and making it hard for law enforcement to track them.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/these-are-the-cryptomixers-hackers-use-to-clean-their-ransoms/
∗∗∗ 6 Tips To Keep in Mind for Ransomware Defense ∗∗∗
---------------------------------------------
Ransomware is everywhere, including the nightly news. Most people know what it is, but how do ransomware attackers get in, and how can we defend against them?
---------------------------------------------
https://www.darkreading.com/edge-articles/6-tips-to-keep-in-mind-for-ransomware-defense
∗∗∗ Github: NPM-Pakete konnten beliebig überschrieben werden ∗∗∗
---------------------------------------------
Ein Fehler in der NPM-Registry hat das Überschreiben von Paketen ermöglicht. Github weiß nicht sicher, ob dies ausgenutzt wurde.
---------------------------------------------
https://www.golem.de/news/github-npm-pakete-konnten-beliebig-ueberschrieben-werden-2111-161138-rss.html
∗∗∗ Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma ∗∗∗
---------------------------------------------
Thanks to the work of Google’s TAG team, we were able to grab two versions of the backdoor used by the threat actors, which we will label UserAgent 2019 and UserAgent 2021.
---------------------------------------------
https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/
∗∗∗ Lücken in Industrie-IoT-Protokoll ermöglichen Fremdsteuerung ∗∗∗
---------------------------------------------
Implementierungen eines Datenaustauschprotokolls für industrielle Steuerungen sind anfällig für Manipulationen, die zu Schäden führen könnten.
---------------------------------------------
https://heise.de/-6268372
∗∗∗ Bestellung auf fotoexperte24.de führt in Abo-Falle! ∗∗∗
---------------------------------------------
Auf der Webseite fotoexperte24.de können günstige Passbilder für verschiedene Ausweise bestellt werden. Doch tatsächlich handelt es sich um einen Fake-Shop, der keine Bilder liefert. Stattdessen bucht der unseriöse Anbieter deutlich mehr Geld von der Kreditkarte ab als beim Bestellprozess angezeigt wurde.
---------------------------------------------
https://www.watchlist-internet.at/news/bestellung-auf-fotoexperte24de-fuehrt-in-abo-falle/
∗∗∗ Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 ∗∗∗
---------------------------------------------
Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic.
---------------------------------------------
https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/
∗∗∗ ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities ∗∗∗
---------------------------------------------
In several recent Incident Response engagements, Mandiant has observed threat actors exploiting the vulnerabilities in different ways than previously reported.
---------------------------------------------
https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 15 Security Bulletins veröffentlicht. Davon wird eine als "Kritisch", sechs als "High", und acht als "Medium" eingestuft.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr).
---------------------------------------------
https://lwn.net/Articles/876327/
∗∗∗ Netgear patches severe pre-auth RCE in 61 router and modem models ∗∗∗
---------------------------------------------
Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year.
---------------------------------------------
https://therecord.media/netgear-deals-with-its-fifth-wave-of-severe-rce-bugs-this-year/
∗∗∗ ZDI-21-1320: Trend Micro Antivirus for Mac Improper Access Control Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1320/
∗∗∗ ZDI-21-1319: (0Day) Autodesk Design Review PNG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1319/
∗∗∗ ZDI-21-1317: (0Day) Autodesk Design Review PDF File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1317/
∗∗∗ ZDI-21-1316: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1316/
∗∗∗ ZDI-21-1315: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1315/
∗∗∗ Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-ILR-8qmW8y8X
∗∗∗ Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-XSS-KjrNbM3p
∗∗∗ Cisco Common Services Platform Collector SQL Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-SQLI-unVPTn5
∗∗∗ WooCommerce Extension – Reflected XSS Vulnerability ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-vulnerability/
∗∗∗ Synology-SA-21:29 Samba ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_29
∗∗∗ FATEK Automation WinProladder ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-320-01
∗∗∗ Mitsubishi Electric GOT products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-320-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list