End-of-Day report
Timeframe: Donnerstag 07-10-2021 18:00 - Freitag 08-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Rapid RYUK Ransomware Attack Group Christened as FIN12
Prolific ransomware cybercrime groups approach underscores a complicated, layered model of cybercrime.
https://www.darkreading.com/attacks-breaches/rapid-ryuk-ransomware-attack-group-christened-as-fin12
Sorting Things Out - Sorting Data by IP Address, (Fri, Oct 8th)
One thing that is huge in making sense of large volumes of data is sorting. Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest.
https://isc.sans.edu/diary/rss/27916
Free BrewDog beer, with a side order of shareholder PII?
BrewDog exposed the details of over 200,000 -Equity for Punks- shareholders for over 18 months plus many more customers.
https://www.pentestpartners.com/security-blog/free-brewdog-beer-with-a-side-order-of-shareholder-pii/
FontOnLake: Previously unknown malware family targeting Linux
ESET researchers discover a malware family with tools that show signs they-re used in targeted attacks.
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/
NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques
The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA).
https://us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guidance-avoiding-dangers-wildcard-tls-certificates
Microsoft to disable Excel 4.0 macros, one of the most abused Office features
Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year [...]
https://therecord.media/microsoft-to-disable-excel-4-0-macros-one-of-the-most-abused-office-features/
Malicious PowerPoint Files Constantly Being Distributed
On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them.
https://asec.ahnlab.com/en/26597/
Vulnerabilities
Security updates for Friday
Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7).
https://lwn.net/Articles/872267/
Google Patches Four Severe Vulnerabilities in Chrome
Google this week announced the release of an updated Chrome version for Windows, Mac and Linux, to address a total of four high-severity vulnerabilities in the browser.
https://www.securityweek.com/google-patches-four-severe-vulnerabilities-chrome
Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation
On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild.
https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities
Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-23436
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designers-may-be-vulnerable-to-arbitrary-code-execution-via-cve-2021-23436/
Security Bulletin: IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors (CVE-2021-29906)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-could-disclose-sensitive-information-to-a-local-user-when-it-is-configured-to-use-an-ibm-cloud-api-key-to-connect-to-cloud-based-conne/
Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39135
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integration-servers-may-be-vulnerable-to-a-symlink-attack-due-to-cve-2021-39135/
Security Bulletin: Access Control Vulnerability Affects the User Interface of IBM Sterling File Gateway (CVE-2020-4654)
https://www.ibm.com/blogs/psirt/security-bulletin-access-control-vulnerability-affects-the-user-interface-of-ibm-sterling-file-gateway-cve-2020-4654/
Security Bulletin: Node.js as used by IBM Security QRadar Packet Capture contains multiple vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251, CVE-2020-8277)
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-security-qradar-packet-capture-contains-multiple-vulnerabilities-cve-2020-8201-cve-2020-8252-cve-2020-8251-cve-2020-8277/
Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39134
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integration-servers-may-be-vulnerable-to-a-symlink-attack-due-to-cve-2021-39134/
Security Bulletin: Multiple Apache PDFBox security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-security-vulnerabilities/
Security Bulletin: IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-images-may-be-vulnerable-to-denial-of-service-attacks-due-to-cve-2021-23362-and-cve-2021-27290/
Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2020-5008)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-sensitive-information-disclosure-vulnerability-cve-2020-5008/
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-affect-ibm-netezza-performance-portal/
Kyocera Drucker: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K21-1049
Johnson Controls exacqVision Server Bundle
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01
Mobile Industrial Robots Vehicles and MiR Fleet Software
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
Johnson Controls exacqVision
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03
Mitsubishi Electric MELSEC iQ-R Series C Controller Module
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-04
InHand Networks IR615 Router
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05
FATEK Automation WinProladder
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06
FATEK Automation Communication Server
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-07