[CERT-daily] Tageszusammenfassung - 12.10.2021

Tue Oct 12 18:14:36 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 11-10-2021 18:00 − Dienstag 12-10-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Wolfgang Menezes

=====================
=       News        =
=====================

∗∗∗ Javascript: RSA-Schlüsselerzeugung mit vielen Nullen ∗∗∗
---------------------------------------------
Github sperrt unsichere SSH-Schlüssel, die durch einen Fehler in einer Javascript-Bibliothek erzeugt wurden.
---------------------------------------------
https://www.golem.de/news/javascript-rsa-schluesselerzeugung-mit-vielen-nullen-2110-160268-rss.html


∗∗∗ iOS 15.0.2 und watchOS 8.0.1: Viele Bugfixes – und wieder ein Exploit im Umlauf ∗∗∗
---------------------------------------------
Apple hat in der Nacht zum Dienstag seine iPhone-, iPad- und Apple-Watch-Betriebssysteme nachgebessert. Bei Telefon und Tablet geht es auch um die Sicherheit.
---------------------------------------------
https://heise.de/-6214563


∗∗∗ Johnson Controls: Lücken boten Remote-Zugriffsmöglichkeiten auf Videoüberwachung ∗∗∗
---------------------------------------------
Updates für die Videoüberwachungslösung exacqVision von Johnson Controls/Exacq Technologies schließen zwei Sicherheitslücken. Eine gilt als kritisch.
---------------------------------------------
https://heise.de/-6215264


∗∗∗ Vorsicht vor Microsoft-Anrufen ∗∗∗
---------------------------------------------
Legen Sie sofort auf, wenn Sie angeblich von Microsoft angerufen werden. Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und behaupten, sie hätten auf Ihrem Computer einen Virus entdeckt. Die Fake-Microsoft-MitarbeiterInnen verwickeln Sie dann in ein Gespräch und bieten Ihnen an, das Problem gemeinsam zu lösen. Achtung: Es handelt sich um eine Betrugsmasche!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-microsoft-anrufen/


∗∗∗ Photo editor Android app STILL sitting on Google Play store is malware ∗∗∗
---------------------------------------------
An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the users Facebook credentials to potentially run ad campaigns on the users behalf, with their payment information. The app has scored over 5K installs, with similar spyware apps having 500K+ installs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/photo-editor-android-app-still-sitting-on-google-play-store-is-malware/


∗∗∗ How cyberattacks are changing according to new Microsoft Digital Defense Report ∗∗∗
---------------------------------------------
Get the latest expert insights on human-operated ransomware, phishing attacks, malware, and more to get ahead of these threats before they begin.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/10/11/how-cyberattacks-are-changing-according-to-new-microsoft-digital-defense-report/


∗∗∗ SnapMC skips ransomware, steals data ∗∗∗
---------------------------------------------
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the [...]
---------------------------------------------
https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/


∗∗∗ Reverse engineering and decrypting CyberArk vault credential files ∗∗∗
---------------------------------------------
This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password.
---------------------------------------------
https://blog.fox-it.com/2021/10/12/reverse-engineering-and-decrypting-cyberark-vault-credential-files/


∗∗∗ New Trickbot and BazarLoader campaigns use multiple delivery vectors ∗∗∗
---------------------------------------------
Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors


∗∗∗ Inside Apple: How macOS attacks are evolving ∗∗∗
---------------------------------------------
Our Apple expert Thomas Reed went to the Objective by the Sea security conference. Heres what he learned about macOS attacks.
---------------------------------------------
https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-macos-attacks-are-evolving/


∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Vulnerabilities ∗∗∗
---------------------------------------------
Industrial giants Siemens and Schneider Electric on Tuesday released nearly a dozen security advisories describing a total of more than 50 vulnerabilities affecting their products. The companies have released patches and mitigations to address these vulnerabilities.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electric-address-over-50-vulnerabilities


∗∗∗ ASEC Weekly Malware Statistics (September 27th, 2021 – October 3rd, 2021) ∗∗∗
---------------------------------------------
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 27th, 2021 (Monday) to October 3rd, 2021 (Sunday). For the main category, info-stealer ranked top with 63.2%, followed by Downloader with 19.2%, RAT (Remote Administration Tool) malware with 10.7%, Backdoor Downloader with 3.7%, Ransomware with 1.9%, CoinMiner with 1.1%, and Banking malware with 0.2%.
---------------------------------------------
https://asec.ahnlab.com/en/27577/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Angreifer könnten digitale Unterschrift in LibreOffice und OpenOffice fälschen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für die Office-Pakete LibreOffice und OpenOffice.
---------------------------------------------
https://heise.de/-6214784


∗∗∗ Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, buffer overflows ∗∗∗
---------------------------------------------
Cisco Talos recently discovered two vulnerabilities in the Anker Eufy Homebase. The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem.
---------------------------------------------
https://blog.talosintelligence.com/2021/10/vuln-spotlight-anker-.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid).
---------------------------------------------
https://lwn.net/Articles/872696/


∗∗∗ # SSA-163251: Multiple Vulnerabilities in SINEC NMS ∗∗∗
---------------------------------------------
The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. Siemens has released an update for SINEC NMS and recommends to update to the latest version.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-163251.txt


∗∗∗ # SSA-173565: Denial-of-Service Vulnerability in RUGGEDCOM ROX Devices ∗∗∗
---------------------------------------------
The latest update for RUGGEDCOM ROX devices fixes a vulnerability that could allow an unauthenticated attacker to cause a permanent Denial-of-Service condition under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-173565.txt


∗∗∗ # SSA-178380: Denial-of-Service Vulnerability in SINUMERIK Controllers ∗∗∗
---------------------------------------------
A Denial-of-Service vulnerability found in SINUMERIK Controllers could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. Siemens has released an update for the SINUMERIK 828D and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-178380.txt


∗∗∗ # SSA-280624: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗
---------------------------------------------
The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or trigger buffer overflows. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-280624.txt


∗∗∗ Advantech WebAccess SCADA ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Missing Authorization vulnerability in the Advantech WebAccess SCADA HMI platform.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01


∗∗∗ Advantech WebAccess ∗∗∗
---------------------------------------------
This advisory contains mitigations for Heap-based Buffer Overflow, and Stack-based Buffer Overflow vulnerabilities in the Advantech WebAccess HMI platform.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02


∗∗∗ Schneider Electric IGSS ∗∗∗
---------------------------------------------
This advisory contains mitigations for Classic Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in Schneider Electric IGSS (Interactive Graphical SCADA System) software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-285-03


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-aix-6/


∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities-5/


∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-security-vulnerabilities-2/


∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2020-5258) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-spectrum-scale-packaged-in-ibm-elastic-storage-server-cve-2020-5258/


∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1053

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily