[CERT-daily] Tageszusammenfassung - 29.10.2021
Daily end-of-shift report
team at cert.at
Fri Oct 29 18:16:34 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-10-2021 18:00 − Freitag 29-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte ∗∗∗
---------------------------------------------
Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten.
---------------------------------------------
https://heise.de/-6236592
∗∗∗ Betrügerische Mails und SMS im Namen der Volksbank im Umlauf! ∗∗∗
---------------------------------------------
Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-namen-der-volksbank-im-umlauf/
∗∗∗ SEO Poisoning Used to Distribute Ransomware ∗∗∗
---------------------------------------------
This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribute-ransomware
∗∗∗ Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App ∗∗∗
---------------------------------------------
Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.
---------------------------------------------
https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/
∗∗∗ Pink, a botnet that competed with the vendor to control the massive infected devices ∗∗∗
---------------------------------------------
Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...]
---------------------------------------------
https://blog.netlab.360.com/pink-en/
∗∗∗ This New Android Malware Can Gain Root Access to Your Smartphones ∗∗∗
---------------------------------------------
An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis.
---------------------------------------------
https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.html
∗∗∗ Update your OptinMonster WordPress plugin immediately ∗∗∗
---------------------------------------------
We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-your-optinmonster-wordpress-plugin-immediately/
∗∗∗ Network Scanning Traffic Observed in Public Clouds ∗∗∗
---------------------------------------------
Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds.
---------------------------------------------
https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/
∗∗∗ NSA-CISA Series on Securing 5G Cloud Infrastructures ∗∗∗
---------------------------------------------
The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-securing-5g-cloud-infrastructures
=====================
= Vulnerabilities =
=====================
∗∗∗ All Windows versions impacted by new LPE zero-day vulnerability ∗∗∗
---------------------------------------------
A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability/
∗∗∗ Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X ∗∗∗
---------------------------------------------
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities.
---------------------------------------------
https://jvn.jp/en/jp/JVN69304877/
∗∗∗ Shrootless: Microsoft finds Apple macOS vulnerability ∗∗∗
---------------------------------------------
Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootless-microsoft-finds-apple-vulnerability-in-macos/
∗∗∗ XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites ∗∗∗
---------------------------------------------
On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations.
---------------------------------------------
https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-social-networks-auto-poster-plugin-impacts-100000-sites/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).
---------------------------------------------
https://lwn.net/Articles/874354/
∗∗∗ Sensormatic Electronics victor ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01
∗∗∗ Delta Electronics DOPSoft (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04
∗∗∗ GoCD Authentication Vulnerability ∗∗∗
---------------------------------------------
GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authentication-vulnerability
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Advisory: RCE Vulnerability in Automation Studio ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1634138454867-en-original-1.0.pdf
∗∗∗ Advisory: ZipSlip Vulnerability in Automation Studio Project Import ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1634138454862-en-original-1.0.pdf
∗∗∗ Advisory: DLL Hijacking Vulnerability in Automation Studio ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1634138454857-en-original-1.0.pdf
∗∗∗ ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS) ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN60553023/
∗∗∗ ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1273/
∗∗∗ ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1272/
∗∗∗ ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1271/
∗∗∗ ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1270/
∗∗∗ ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1275/
∗∗∗ ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1274/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list