End-of-Day report
Timeframe: Montag 11-10-2021 18:00 - Dienstag 12-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
Javascript: RSA-Schlüsselerzeugung mit vielen Nullen
Github sperrt unsichere SSH-Schlüssel, die durch einen Fehler in einer Javascript-Bibliothek erzeugt wurden.
https://www.golem.de/news/javascript-rsa-schluesselerzeugung-mit-vielen-nullen-2110-160268-rss.html
iOS 15.0.2 und watchOS 8.0.1: Viele Bugfixes - und wieder ein Exploit im Umlauf
Apple hat in der Nacht zum Dienstag seine iPhone-, iPad- und Apple-Watch-Betriebssysteme nachgebessert. Bei Telefon und Tablet geht es auch um die Sicherheit.
https://heise.de/-6214563
Johnson Controls: Lücken boten Remote-Zugriffsmöglichkeiten auf Videoüberwachung
Updates für die Videoüberwachungslösung exacqVision von Johnson Controls/Exacq Technologies schließen zwei Sicherheitslücken. Eine gilt als kritisch.
https://heise.de/-6215264
Vorsicht vor Microsoft-Anrufen
Legen Sie sofort auf, wenn Sie angeblich von Microsoft angerufen werden. Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und behaupten, sie hätten auf Ihrem Computer einen Virus entdeckt. Die Fake-Microsoft-MitarbeiterInnen verwickeln Sie dann in ein Gespräch und bieten Ihnen an, das Problem gemeinsam zu lösen. Achtung: Es handelt sich um eine Betrugsmasche!
https://www.watchlist-internet.at/news/vorsicht-vor-microsoft-anrufen/
Photo editor Android app STILL sitting on Google Play store is malware
An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the users Facebook credentials to potentially run ad campaigns on the users behalf, with their payment information. The app has scored over 5K installs, with similar spyware apps having 500K+ installs.
https://www.bleepingcomputer.com/news/security/photo-editor-android-app-still-sitting-on-google-play-store-is-malware/
How cyberattacks are changing according to new Microsoft Digital Defense Report
Get the latest expert insights on human-operated ransomware, phishing attacks, malware, and more to get ahead of these threats before they begin.
https://www.microsoft.com/security/blog/2021/10/11/how-cyberattacks-are-changing-according-to-new-microsoft-digital-defense-report/
SnapMC skips ransomware, steals data
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the [...]
https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/
Reverse engineering and decrypting CyberArk vault credential files
This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password.
https://blog.fox-it.com/2021/10/12/reverse-engineering-and-decrypting-cyberark-vault-credential-files/
New Trickbot and BazarLoader campaigns use multiple delivery vectors
Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely.
https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors
Inside Apple: How macOS attacks are evolving
Our Apple expert Thomas Reed went to the Objective by the Sea security conference. Heres what he learned about macOS attacks.
https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-macos-attacks-are-evolving/
ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Vulnerabilities
Industrial giants Siemens and Schneider Electric on Tuesday released nearly a dozen security advisories describing a total of more than 50 vulnerabilities affecting their products. The companies have released patches and mitigations to address these vulnerabilities.
https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electric-address-over-50-vulnerabilities
ASEC Weekly Malware Statistics (September 27th, 2021 - October 3rd, 2021)
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 27th, 2021 (Monday) to October 3rd, 2021 (Sunday). For the main category, info-stealer ranked top with 63.2%, followed by Downloader with 19.2%, RAT (Remote Administration Tool) malware with 10.7%, Backdoor Downloader with 3.7%, Ransomware with 1.9%, CoinMiner with 1.1%, and Banking malware with 0.2%.
https://asec.ahnlab.com/en/27577/
Vulnerabilities
Angreifer könnten digitale Unterschrift in LibreOffice und OpenOffice fälschen
Es gibt wichtige Sicherheitsupdates für die Office-Pakete LibreOffice und OpenOffice.
https://heise.de/-6214784
Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, buffer overflows
Cisco Talos recently discovered two vulnerabilities in the Anker Eufy Homebase. The Eufy Homebase 2 is the video storage and networking gateway that works with Anker-s Eufy Smarthome ecosystem.
https://blog.talosintelligence.com/2021/10/vuln-spotlight-anker-.html
Security updates for Tuesday
Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid).
https://lwn.net/Articles/872696/
# SSA-163251: Multiple Vulnerabilities in SINEC NMS
The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. Siemens has released an update for SINEC NMS and recommends to update to the latest version.
https://cert-portal.siemens.com/productcert/txt/ssa-163251.txt
# SSA-173565: Denial-of-Service Vulnerability in RUGGEDCOM ROX Devices
The latest update for RUGGEDCOM ROX devices fixes a vulnerability that could allow an unauthenticated attacker to cause a permanent Denial-of-Service condition under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest versions.
https://cert-portal.siemens.com/productcert/txt/ssa-173565.txt
# SSA-178380: Denial-of-Service Vulnerability in SINUMERIK Controllers
A Denial-of-Service vulnerability found in SINUMERIK Controllers could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. Siemens has released an update for the SINUMERIK 828D and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
https://cert-portal.siemens.com/productcert/txt/ssa-178380.txt
# SSA-280624: Multiple Vulnerabilities in SCALANCE W1750D
The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or trigger buffer overflows. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available.
https://cert-portal.siemens.com/productcert/txt/ssa-280624.txt
Advantech WebAccess SCADA
This advisory contains mitigations for a Missing Authorization vulnerability in the Advantech WebAccess SCADA HMI platform.
https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01
Advantech WebAccess
This advisory contains mitigations for Heap-based Buffer Overflow, and Stack-based Buffer Overflow vulnerabilities in the Advantech WebAccess HMI platform.
https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02
Schneider Electric IGSS
This advisory contains mitigations for Classic Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in Schneider Electric IGSS (Interactive Graphical SCADA System) software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-285-03
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-aix-6/
Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities-5/
Security Bulletin: Multiple Apache PDFBox security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-security-vulnerabilities-2/
Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2020-5258)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-spectrum-scale-packaged-in-ibm-elastic-storage-server-cve-2020-5258/
Foxit Reader & PhantomPDF: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-1053