End-of-Day report
Timeframe: Freitag 12-11-2021 18:00 - Montag 15-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
PSA: Apple isn-t actually patching all the security holes in older versions of macOS
Big Sur got a fix 234 days before Catalina did, although both are supported.
https://arstechnica.com/?p=1812611
FTC shares ransomware defense tips for small US businesses
The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to secure their networks from ransomware attacks by blocking threat actors attempts to exploit vulnerabilities using social engineering or exploits targeting technology.
https://www.bleepingcomputer.com/news/security/ftc-shares-ransomware-defense-tips-for-small-us-businesses/
Video: Obfuscated Maldoc: Reversed BASE64, (Sun, Nov 14th)
I made a video of the maldoc analysis I explained in yesterday's diary entry "Obfuscated Maldoc: Reversed BASE64".
https://isc.sans.edu/diary/rss/28032
Changing your AD Password Using the Clipboard - Not as Easy as Youd Think!, (Mon, Nov 15th)
Let me know if this scenario is familiar? [...] Microsoft won't allow you to paste a password into their GUI "password change". Apparantly Microsoft wants us to continue to use passwords like "Passw0rd1!" and "Winter2021!" forever, until all AD domains are "passwordless"
https://isc.sans.edu/diary/rss/28036
Microsoft Out of Band Update Resolves Kerberos Issue, (Mon, Nov 15th)
Since Patch Tuesday, we've been tracking a Kerboros issue in November's patch bundle that affected authentication in several deployment scenarios: [...] This was fixed out of band yesterday (November 14, 2021). If you have applied November's update and are affected, you'll want to apply the "November-take-two" update on any affected servers.
https://isc.sans.edu/diary/rss/28040
Exploiting CSP in Webkit to Break Authentication & Authorization
[...] Long story short, there was a vulnerability that we reported to Safari that Apple didn-t consider severe enough to fix quickly which then after waiting for a significant amount of time, we decided to exploit and earn some bounties by reporting them to bug bounty programs.
https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/
E-Mail-Server des FBI gehackt - für Fake-Warnungen über Cyber-Angriffe genutzt
Cyberkriminelle haben einen E-Mail-Server des FBI gekapert. Anschließend verschickten sie über 100.000 Spam-Mails mit einer Warnung vor einem Cyberangriff.
https://heise.de/-6266349
POC2021 - Pwning the Windows 10 Kernel with NFTS and WNF Slides
Alex Plaskett presented -Pwning the Windows 10 Kernel with NTFS and WNF- at Power Of Community (POC) on the 11th of November 2021. The abstract of the talk is as follows: A local privilege escalation vulnerability (CVE-2021-31956) 0day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad [...]
https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kernel-with-nfts-and-wnf-slides/
Exchange Exploit Leads to Domain Wide Ransomware
In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. ProxyShell is a name given to [...]
https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
AutoPoC - Validating the Lack of Validation in PoCs
HoneyPoC was a project to look at how popular CVE PoCs could be. AutoPoC took that concept and enabled the mass creation of disinformation. Also, Data is beautiful.
https://blog.zsec.uk/honeypoc-ultimate/
AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
AT&T Alien Labs- has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp).
https://lwn.net/Articles/876135/
Security Bulletin: Use of a one way hash without a salt in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38979)
https://www.ibm.com/blogs/psirt/security-bulletin-use-of-a-one-way-hash-without-a-salt-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38979/
Security Bulletin: Hazardous Input Validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38972)
https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validation-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38972/
Security Bulletin: Password stored in cleartext in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38976)
https://www.ibm.com/blogs/psirt/security-bulletin-password-stored-in-cleartext-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38976/
Security Bulletin: Missing http strict transport security header in in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38978)
https://www.ibm.com/blogs/psirt/security-bulletin-missing-http-strict-transport-security-header-in-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38978/
Security Bulletin: Cross-Site scripting in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38982)
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38982/
Security Bulletin: Missing cookie secure attribute in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38977)
https://www.ibm.com/blogs/psirt/security-bulletin-missing-cookie-secure-attribute-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38977/
Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38985)
https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validation-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38985/
Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38983)
https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-strength-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38983/
Security Bulletin: Using components with known vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2021-20492)
https://www.ibm.com/blogs/psirt/security-bulletin-using-components-with-known-vulnerabilities-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-20492/
Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-integration-bus-v10-cve-2021-32803/
Security Bulletin: Denial of service in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38974)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38974/
Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38973)
https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validation-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38973/
Security Bulletin: Information exposure in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38975)
https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-in-ibm-security-guardium-key-lifecycle-manager-4-1-1-cve-2021-38975/
Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38984)
https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-strength-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38984/
Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38981)
https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-security-guardium-key-lifecycle-manager-4-1-1-cve-2021-38981/