End-of-Day report
Timeframe: Mittwoch 13-01-2021 18:00 - Donnerstag 14-01-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Dimitri Robl
News
Big Sur: Apple erlaubt wieder Firewall-Filter für Systemdienste
In aktuellen MacOS-Versionen hatte Apple seine Systemdienste von Firewall-Regeln ausgenommen. Eine Betaversion macht das nun rückgängig.
https://www.golem.de/news/big-sur-apple-erlaubt-wieder-firewall-filter-fuer-systemdienste-2101-153385-rss.html
Sysdig beobachtet einen Shift Left bei Container Security
Während Docker als Container Runtime an Bedeutung verliert, scannen immer mehr Anwender ihre Images schon früh im Build-Prozess ihrer CI/CD-Pipelines.
https://heise.de/-5024624
Cisco says it wont patch 74 security bugs in older RV routers that reached EOL
Cisco advises RV110W, RV130, RV130W, and RV215W device owners to migrate to newer gear.
https://www.zdnet.com/article/cisco-says-it-wont-patch-74-security-bugs-in-older-rv-routers-that-reached-eol/
Telegram-based phishing service Classiscam hits European marketplaces
Dozens of cybercriminal gangs are publishing fake ads on popular online marketplaces to lure interested users to fraudulent merchant sites or to phishing pages that steal payment data.
https://www.bleepingcomputer.com/news/security/telegram-based-phishing-service-classiscam-hits-european-marketplaces/
Windows 10 bug corrupts your hard drive on seeing this files icon
An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command.
https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th)
Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros.
https://isc.sans.edu/diary/rss/26986
Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
CISA is aware of several recent successful cyberattacks against various organizations- cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices. In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and [...]
https://us-cert.cisa.gov/ncas/current-activity/2021/01/13/attackers-exploit-poor-cyber-hygiene-compromise-cloud-security
Opening -STEELCORGI-: A Sophisticated APT Swiss Army Knife
This time we decided to dissect and share intelligence information about another piece of the TH-239 arsenal: a tiny and mysterious tool dubbed -STEELCORGI- on FireEye research. This tool was heavily protected using a novel technique able to make things really difficult to any DFIR Team tackling with TH-239 intrusion, but it-s contents reveal huge surprises and unattended capabilities.
https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/
A Global Perspective of the SideWinder APT
AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives.
https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-the-sidewinder-apt
Vulnerabilities
Office January security updates fix remote code execution bugs
Microsoft addresses important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates released during this months Patch Tuesday.
https://www.bleepingcomputer.com/news/security/office-january-security-updates-fix-remote-code-execution-bugs/
Juniper Networks Releases Security Updates for Multiple Products
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.
https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/juniper-networks-releases-security-updates-multiple-products
Security updates for Thursday
Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar).
https://lwn.net/Articles/842673/
Pepperl+Fuchs IO-Link Master Series 1.36 CSRF / XSS / Command Injection
https://cxsecurity.com/issue/WLB-2021010110
OpenSSL vulnerability CVE-2020-1971
https://support.f5.com/csp/article/K42910051
Red Hat Decision Manager: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
https://www.cert-bund.de/advisoryshort/CB-K21-0037
Security Advisory - Denial of Service Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-02-dos-en
Security Advisory - Insufficient Integrity Check Vulnerability in Huawei Sound X Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-01-ais-en
Security Advisory - Logic Vulnerability in Huawei Gauss100 Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-01-gauss-en
Security Bulletin: Vulnerability in Python affects IBM Spectrum Protect Plus Microsoft File Systems Agent (CVE-2020-26116)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-affects-ibm-spectrum-protect-plus-microsoft-file-systems-agent-cve-2020-26116/
Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-multiple-vulnerabilities-2/
Security Bulletin: Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751)
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-gnu-glibc-affect-ibm-cloud-pak-for-data-gnu-glibc-cve-2020-1751-2/
Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-guardium-data-encryption-gde-3/
Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-security-vulnerabilities-7/
Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2020-25696)
https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-affects-ibm-sterling-connectdirect-for-microsoft-windows-cve-2020-25696/
Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-security-vulnerabilities-6/
Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-security-vulnerabilities-4/
Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421).
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring-framework-affects-ibm-tivoli-application-dependency-discovery-manager-cve-2020-5421-2/
Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7769)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-and-ibm-integration-bus-cve-2020-7769/
Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-15358)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-cve-2020-15358/
Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-security-vulnerabilities-12/
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2015-9381, CVE-2015-9382)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-security-vulnerabilities-cve-2015-9381-cve-2015-9382-2/
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java- Technology Edition, that is used by IBM Workload Scheduler.
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-sdk-java-technology-edition-that-is-used-by-ibm-workload-scheduler-2/
Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway has security vulnerabilities (CVE-2019-2044, CVE-2019-2045)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterprise-gateway-has-security-vulnerabilities-cve-2019-2044-cve-2019-2045/
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-11745)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2019-11745-2/
Security Bulletin: IBM API Connect V5 Developer Portal is vulnerable to cross-site scripting (CVE-2020-4838)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-developer-portal-is-vulnerable-to-cross-site-scripting-cve-2020-4838-2/
Security Bulletin: CVE-2020-2601 may affect IBM® SDK, Java- Technology Edition, that is used by IBM Workload Scheduler.
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-may-affect-ibm-sdk-java-technology-edition-that-is-used-by-ibm-workload-scheduler-2/