[CERT-daily] Tageszusammenfassung - 13.09.2021

Mon Sep 13 18:16:34 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 10-09-2021 18:00 − Montag 13-09-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Warten auf Windows-Patches: Selbstbau-Anleitung für MSHTML-Exploit in Umlauf ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen, wie Angreifer Microsofts Schutzmaßnahmen vor Windows-Attacken umgehen könnten. Außerdem ist ein Exploit-Baukasten verfügbar.
---------------------------------------------
https://heise.de/-6190319


∗∗∗ SOVA, Worryingly Sophisticated Android Trojan, Takes Flight ∗∗∗
---------------------------------------------
The malware appeared in August with an ambitious roadmap (think ransomware, DDoS) that could make it the most feature-rich Android malware on the market.
---------------------------------------------
https://threatpost.com/sova-sophisticated-android-trojan/169366/


∗∗∗ Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th) ∗∗∗
---------------------------------------------
This parser takes the logs from a Windows 2012R2 and/or 2019 server (C:\DNSLogs\windns.log) and parses them into usable metatada which can be monitored and queried via an ELK dashboard. The logs have been mapped using DNS ECS field meta here [1].
---------------------------------------------
https://isc.sans.edu/diary/rss/27828


∗∗∗ New SpookJS Attack Bypasses Google Chrome’s Site Isolation Protection ∗∗∗
---------------------------------------------
A newly discovered side-channel attack demonstrated on modern processors can be weaponized to successfully overcome Site Isolation protections weaved into Google Chrome and Chromium browsers and leak sensitive data in a Spectre-style speculative execution attack. Dubbed "Spook.js" by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv [...]
---------------------------------------------
https://thehackernews.com/2021/09/new-spookjs-attack-bypasses-google.html


∗∗∗ REvil: Ransomware-Gang in neuer Aufstellung wieder aktiv ∗∗∗
---------------------------------------------
Neue Forenbeiträge und "Happy Blog"-Inhalte belegen, dass die Erpresserbande um REvil zurück ist - und dass ihre Auszeit wohl nicht freiwillig war.
---------------------------------------------
https://heise.de/-6190537


∗∗∗ BazarLoader to Conti Ransomware in 32 Hours ∗∗∗
---------------------------------------------
Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown [...]
---------------------------------------------
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/


∗∗∗ Incident response analyst report 2020 ∗∗∗
---------------------------------------------
We deliver a range of services: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams.
---------------------------------------------
https://securelist.com/incident-response-analyst-report-2020/104080/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF ∗∗∗
---------------------------------------------
Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application.
---------------------------------------------
https://blog.talosintelligence.com/2021/09/nitro-pro-code-execution.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (qemu and thunderbird), Fedora (chromium, firefox, and mosquitto), openSUSE (apache2-mod_auth_openidc, gifsicle, openssl-1_1, php7-pear, and wireshark), Oracle (oswatcher), Red Hat (cyrus-imapd, firefox, and thunderbird), SUSE (apache2-mod_auth_openidc, compat-openssl098, php7-pear, and wireshark), and Ubuntu (git and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/869103/


∗∗∗ Update - Kritische Sicherheitslücke in der Microsoft MSHTML Komponente - Workarounds verfügbar, Exploits veröffentlicht ∗∗∗
---------------------------------------------
Update: 13. September 2021 / Beschreibung Microsoft hat außerhalb des üblichen Patch-Zyklus eine Warnung über eine Sicherheitslücke in der MSHTML Komponente veröffentlicht. Diese kann von Angreifer:innen durch entsprechend präparierte Microsoft Office-Dokumente ausgenutzt werden - laut Microsoft sind solche Dokumente bereits im Umlauf.
---------------------------------------------
https://cert.at/de/warnungen/2021/9/kritische-sicherheitslucke-in-der-microsoft-mshtml-komponente-workarounds-verfugbar


∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-csv-injection-cve-2021-20509-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-websphere-application-server-july-2021-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/


∗∗∗ Security Bulletin: Multiple vulnerabilities in ICU libraries used in IBM DataPower Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-icu-libraries-used-in-ibm-datapower-gateway/


∗∗∗ Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-29727, CVE-2021-29801, CVE-2021-29862) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-aix-kernel-cve-2021-29727-cve-2021-29801-cve-2021-29862-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-25/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security SOAR (CVE-2021-2341, CVE-2021-2369) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-security-soar-cve-2021-2341-cve-2021-2369/


∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-sdk-java-technology-edition-8/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-24/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-23/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-22/


∗∗∗ Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-affect-liberty-for-java-for-ibm-cloud-2/


∗∗∗ Security Bulletin: Input Validation Vulnerability in Apache Commons Codec Affects IBM Sterling Connect:Direct for UNIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerability-in-apache-commons-codec-affects-ibm-sterling-connectdirect-for-unix/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily