End-of-Day report
Timeframe: Mittwoch 03-11-2021 18:00 - Donnerstag 04-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
Wichtige Cisco-Updates: Recycelte SSH-Keys vereinfachten unbefugte Root-Zugriffe
Neue Versionen schließen eine kritische Lücke in Ciscos Policy Suite. Auch Catalyst PON Switches & weitere Produkte wurden gegen Angriffe abgesichert.
https://heise.de/-6251668
BSI-Paper: Technische Grundlagen sicherer Messenger-Dienste
Milliardenfach kommt weltweit ein Kommunikationsmittel zum Zuge: Messenger-Dienste. Die kurze geschriebene oder gesprochene Nachricht überrundet schon lange die SMS. Doch wie funktionieren Messenger? Was macht sie sicher und was eher nicht? Auf diese und weitere Fragen gibt das BSI-Paper -Moderne Messenger - heute verschlüsselt, morgen interoperabel?- Antwort.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211104_Messenger-Dienste.html
Cyberkriminelle verkaufen Zugänge zu internationalen Logistikfirmen
Es handelt sich oft um Schwachstellen in RDP und VPN. Angeboten werden aber auch gestohlene Zugangsdaten. Sicherheitsforscher warnen vor weiteren negativen Folgen für die Lieferkette.
https://www.zdnet.de/88397581/cyberkriminelle-verkaufen-zugaenge-zu-internationalen-logistikfirmen/
Betrug mit Verdopplung Ihrer Bitcoins und Kryptowährungen!
Kriminelle machen ein attraktives Angebot: Sie versprechen eine Verdopplung eingezahlter Kryptowährungen durch einfaches Übetragen auf eine Wallet. Der Haken an der Sache: Übertragene Währungen sind verloren, denn sie landen direkt auf den Wallets der Kriminellen. Genau das passiert auch auf spacegetbonus.com mit Bitcoin, Ethereum und Dogecoin!
https://www.watchlist-internet.at/news/betrug-mit-verdopplung-ihrer-bitcoins-und-kryptowaehrungen/
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.
https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshell-exploits-used-to-deploy-babuk-ransomware/
Samsung Galaxy S21 hacked on second day of Pwn2Own Austin
Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP.
https://www.bleepingcomputer.com/news/security/samsung-galaxy-s21-hacked-on-second-day-of-pwn2own-austin/
5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls
Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques.
https://www.darkreading.com/edge-threat-monitor/5-mitre-attck-tactics-most-frequently-detected-by-cisco-secure-firewalls
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns
Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands.
https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/
Credit card skimmer evades Virtual Machines
After code obfuscation, anti-debugger tricks we now see virtual machine detection used by credit card skimmers.
https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/
The Vagabon Kit Highlights -Frankenstein- Trend in Phishing
In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. The kit doesnt display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services.
https://www.riskiq.com/blog/external-threat-management/vagabon-kit-frankenstein-phishing/
Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server
GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a new Intezer Protect user-s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit [...]
https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/
Cobalt Strike: Using Process Memory To Decrypt Traffic - Part 3
We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic.
https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/
Vulnerabilities
Critical RCE Vulnerability Reported in Linux Kernels TIPC Module
Cybersecurity researchers have disclosed a security flaw in the Linux Kernels Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "can be exploited locally or remotely within a network to gain kernel [...]
https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.html
Security updates for Thursday
Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
https://lwn.net/Articles/875106/
Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server
[...] Summary: Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.
https://cert.vde.com/de/advisories/VDE-2021-051/
VISAM VBASE Editor
This advisory contains mitigations for Improper Access Control, Cross-site Scripting, Using Components with Known Vulnerabilities, and Improper Restriction of XML External Entity Reference vulnerabilities in the VISAM VBASE Editor automation platform.
https://us-cert.cisa.gov/ics/advisories/icsa-21-308-01
AzeoTech DAQFactory
This advisory contains mitigations for Use of Inherently Dangerous Function, Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information, and Modification of Assumed-Immutable Data (MAID) vulnerabilities in the AzeoTech DAQFactory software and application development platform.
https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02
BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities
On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher-s software tools. BrakTooth-originally disclosed in August 2021-is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.
https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-concept-tool-demonstrates-bluetooth
Security Bulletin: Vulnerability in Oracle, Java SE Affecting Watson Speech Services
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-oracle-java-se-affecting-watson-speech-services/
Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability (CVE-2020-26939)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-bouncy-castle-vulnerability-cve-2020-26939/
Reflected cross-site scripting vulnerability in IBM Sterling B2B Integrator
https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-vulnerability-in-ibm-sterling-b2b-integrator/
Grafana: Schwachstelle ermöglicht Cross-Site Scripting
https://www.cert-bund.de/advisoryshort/CB-K21-1154