End-of-Day report
Timeframe: Donnerstag 21-01-2021 18:00 - Freitag 22-01-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd)
When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the .jnlp extension.
https://isc.sans.edu/diary/rss/27018
Magento PHP Injection Loads JavaScript Skimmer
A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files.
https://blog.sucuri.net/2021/01/magento-php-injection-loads-javascript-skimmer.html
Project Zero: Windows Exploitation Tricks: Trapping Virtual Memory Access
This blog is a continuation of my series of Windows exploitation tricks. This one describes an exploitation trick I-ve been trying to develop for years, succeeding (mostly, more on that later) on the latest versions of Windows 10.
https://googleprojectzero.blogspot.com/2021/01/windows-exploitation-tricks-trapping.html
Crypto-Miner Dovecat hat es auf Netz-Speicher von Qnap und Synology abgesehen
Aktuelle Sicherheitshinweise sollen Netzwerkspeicher (NAS) von Qnap und Synology schützen.
https://heise.de/-5032679
New website launched to document vulnerabilities in malware strains
Launched by security researcher John Page, the new MalVuln website lists bugs in malware code.
https://www.zdnet.com/article/new-website-launched-to-document-vulnerabilities-in-malware-strains/
A look at the NIS 2.0 Recitals
The EU commission dropped a large cyber security package on December 16th 2020, including a first draft for a new version of the NIS Directive. In front of the actual normative legal text, there are 84 recitals, describing the intents of the regulation.
https://cert.at/en/blog/2021/1/nis2-recitals-feedback
Vulnerabilities
Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities.
https://jvn.jp/en/jp/JVN38248512/
Mehrere Schwachstellen in Selea CarPlateServern und Selea Targa IP OCR-ANPR Kameras
Zeroscience hat diverse Schwachstellen in zwei Produkten der Firma Selea gefunden. Bei beiden wurden unter anderem Möglichkeiten gefunden, fremden Code auszuführen.
https://www.zeroscience.mk/en/vulnerabilities/
0day in Windows 7 and Server 2008 R2 Gets a Micropatch
Update 1/22/2021: This vulnerability did not get patched by December 2020 or January 2021 Extended Security Updates, so we ported our micropatch to these updates.
https://blog.0patch.com/2020/11/0day-in-windows-7-and-server-2008-r2.html
Security updates for Friday
Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).
https://lwn.net/Articles/843571/
Windows RDP servers are being abused to amplify DDoS attacks
Windows RDP servers running on UDP port 3389 can be ensnared in DDoS botnets and abused to bounce and amplify junk traffic towards victim networks.
https://www.zdnet.com/article/windows-rdp-servers-are-being-abused-to-amplify-ddos-attacks/
Delta Electronics ISPSoft
This advisory contains mitigations for a Use After Free vulnerability in Delta Electronics ISPSoft PLC program development tool.
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-01
Delta Electronics TPEditor
This advisory contains mitigations for Untrusted Pointer Dereference, and Out-of-bounds Write vulnerabilities in Delta Electronics TPEditor programming software for Delta text panels.
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-02
Honeywell OPC UA Tunneller
This advisory contains mitigations for Heap-based Buffer Overflow, Out-of-bounds Read, Improper Check for Unusual or Exceptional Conditions, and Uncontrolled Resource Consumption vulnerabilities in Honeywells OPC UA Tunneller software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03
Mitsubishi Electric MELFA
This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electrics MELFA robot controllers.
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-04
WAGO M&M Software fdtCONTAINER
This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in the M&M (a WAGO subsidiary) fdtCONTAINER application.
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05
Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-3/
Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to a denial of service attack (CVE-2020-4766)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru-is-vulnerable-to-a-denial-of-service-attack-cve-2020-4766/
Security Bulletin: A vulnerability in OpenSSL affects GCM16 & GCM32 KVM Switch Firmware (CVE-2019-1551)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openssl-affects-gcm16-gcm32-kvm-switch-firmware-cve-2019-1551/
Security Bulletin: IBM MQ Appliance is affected by multiple Mozilla Firefox vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-multiple-mozilla-firefox-vulnerabilities/
Security Bulletin: Security Vulnerability in IBM Java SDK affects IBM Voice Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in-ibm-java-sdk-affects-ibm-voice-gateway/