End-of-Day report
Timeframe: Donnerstag 28-01-2021 18:00 - Freitag 29-01-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Perl.com domain stolen, now using IP address tied to malware
The domain name perl.com was stolen this week and is now points to an IP address associated with malware campaigns.
https://www.bleepingcomputer.com/news/security/perlcom-domain-stolen-now-using-ip-address-tied-to-malware/
A Look at iMessage in iOS 14
On December 20, Citizenlab published -The Great iPwn-, detailing how -Journalists [were] Hacked with Suspected NSO Group iMessage -Zero-Click- Exploit-. Of particular interest is the following note: -We do not believe that [the exploit] works against iOS 14 and above, which includes new security protections''. Given that it is also now almost exactly one year ago since we published the Remote iPhone Exploitation blog post series, in which we described how an iMessage 0-click exploit can work in practice and gave a number of suggestions on how similar attacks could be prevented in the future, now seemed like a great time to dig into the security improvements in iOS 14 in more detail and explore how Apple has hardened their platform against 0-click attacks.
https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
Sensitive Data Shared with Cloud Services, (Fri, Jan 29th)
Yesterday was the data protection day in Europe. I was not on duty so Im writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild: 14GB compressed, 77M credentials.
https://isc.sans.edu/diary/rss/27042
Attacks on Individuals Fall as Cybercrime Shifts Tactics
Cybercriminals shifted away from stealing individual consumers- information in 2020 to focus on bigger, more profitable attacks on businesses, according to a report from the Identity Theft Resource Center.
https://www.securityweek.com/attacks-individuals-fall-cybercrime-shifts-tactics
Identitätsdiebstahl durch betrügerische Jobangebote boomen!
Der Arbeitsmarkt in Österreich ist weiterhin angespannt. Das macht sich auch im Bereich des Internetbetrugs bemerkbar. So melden unsere LeserInnen immer wieder, dass sie bei der Suche nach einem Nebenverdienst auf ein betrügerisches Job-Angebot gestoßen sind. Das Ziel hinter dieser Betrugsmasche: Die BetrügerInnen versuchen die Identität der Opfer zu klauen, manchmal wird auch ein Konto im Namen der Betroffenen eröffnet.
https://www.watchlist-internet.at/news/identitaetsdiebstahl-durch-betruegerische-jobangebote-boomen/
Don-t stop at alert(1): Demonstrate impact with low severity bugs
When trying to discover vulnerabilities in a web application, you may not always come across high or critical severity bugs, and only end up finding low-medium severity issues like cross-site scripting (XSS). When that is the case, it is worth seeing how far those bugs can take you, since low severity vulnerabilities can still have a large effect when leveraged as part of a more impactful attack chain.
https://medium.com/tenable-techblog/dont-stop-at-alert-1-demonstrate-impact-with-low-severity-bugs-877d057c8ec4
Vulnerabilities
Libgcrypt: Warnung vor schwerem Fehler in GnuPG-Kryptobibliothek
Die jüngste Version der Verschlüsselungsbibliothek Libgcrypt, die unter anderem von GnuPG verwendet wird, soll eine schwere Sicherheitslücke haben.
https://www.golem.de/news/libgcrypt-warnung-vor-schwerem-fehler-in-gnupg-kryptobibliothek-2101-153771.html
Security updates for Friday
Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java).
https://lwn.net/Articles/844521/
Rockwell Automation FactoryTalk Linx and FactoryTalk Services Platform
This advisory contains mitigations for Classic Buffer overflow, and Improper Check or Handling of Exceptional Conditions vulnerabilities in Rockwell Automations FactoryTalk Linx and FactoryTalk Services Platform software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-028-01
SSA-520004: Telnet Authentication Vulnerability in SIMATIC HMI Comfort Panels
https://cert-portal.siemens.com/productcert/txt/ssa-520004.txt
Linksys Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten
http://www.cert-bund.de/advisoryshort/CB-K21-0101