Tageszusammenfassung - 16.11.2021

End-of-Day report

Timeframe: Montag 15-11-2021 18:00 - Dienstag 16-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes

News

Malware: Emotet ist zurück

Sicherheitsforscher haben eine neue Variante von Emotet entdeckt. Noch wird der Schädling von einer anderen Malware nachgeladen.

https://www.golem.de/news/malware-emotet-ist-zurueck-2111-161124-rss.html


Windows Sonder-Updates gegen DC-Authentifizierungsprobleme und Druckprobleme

Die Sicherheitsupdates vom November für Windows verursachen teils Authentifizierungsprobleme bei Domain Controllern sowie Druckprobleme. Microsoft patcht nach.

https://heise.de/-6267784


Fake Ransomware Infection Spooks Website Owners

Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for -FOR RESTORE SEND 0.1 BITCOIN- were sitting at 6 last week and increased to 291 at the time of writing this.

https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html


GitHub Confirms Another Major NPM Security Defect

Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain.

https://www.securityweek.com/github-confirms-another-major-npm-security-defect


Black Friday: Vorsicht vor Fake-Angeboten

Am 26. November 2021 ist Black Friday. Und darauf folgt am 29. November schon der Cyber Monday - für Schnäppchenjäger wahre Shopping-Feiertage. Wir raten aber zur Vorsicht: Nicht nur seriöse Anbieter locken mit günstigen Preisen und Rabatten, auch Fake-Shops werben mit Black Friday Angeboten.

https://www.watchlist-internet.at/news/black-friday-vorsicht-vor-fake-angeboten/


An update on the state of the NIS2 draft

This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th. This is not a complete review of the current state of the NIS2 discussions.

https://cert.at/en/blog/2021/11/an-update-on-the-state-of-the-nis2-draft


New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks

[...] today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.

https://us-cert.cisa.gov/ncas/current-activity/2021/11/16/new-federal-government-cybersecurity-incident-and-vulnerability


A new Android banking trojan named SharkBot is makings its presence felt

Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts.

https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-makings-its-presence-felt/


New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk

Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin [...]

https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-attack-puts-popular-admin-tools-at-risk/


Kernel Karnage - Part 3 (Challenge Accepted)

[...] The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that didn-t impress our blue team, so I received a challenge to bypass $vendor2. I have to admit, after trying all week to get around the protections, $vendor2 is definitely a bigger beast to tame.

https://blog.nviso.eu/2021/11/16/kernel-karnage-part-3-challenge-accepted/

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim).

https://lwn.net/Articles/876227/


Synology-SA-21:28 Mail Station

A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station.

https://www.synology.com/en-global/support/security/Synology_SA_21_28


AMD Windows 10-Grafiktreiber mit Schwachstellen (Nov. 2021)

Nutzer mit AMD-Grafikkarten und Windows 10 sollten sich mit dem Thema Aktualisierung von AMD-Grafiktreibern befassten. Der Hersteller hat eingestanden, dass seine Windows 10-Grafiktreiber zahlreiche Sicherheitslücken aufweisen. Einige Schwachstellen (z.B. im Grafiktreiber) werden als sicherheitstechnisch Hoch eingestuft.

https://www.borncity.com/blog/2021/11/16/amd-windows-10-treiber-mit-schwachstellen/


WAGO: Denial of Service Vulnerability in CODESYS Runtime 2.3

https://cert.vde.com/de/advisories/VDE-2021-049/


WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack.

https://cert.vde.com/de/advisories/VDE-2021-050/


WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation

https://cert.vde.com/de/advisories/VDE-2021-056/


Grafana: Schwachstelle ermöglicht Privilegieneskalation

https://www.cert-bund.de/advisoryshort/CB-K21-1205


Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Denial of Service

https://www.cert-bund.de/advisoryshort/CB-K21-1207


ZDI-21-1312: Open Design Alliance (ODA) ODAViewer DWG File Parsing Use-After-Free Remote Code Execution Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-21-1312/


ZDI-21-1311: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-21-1311/


ZDI-21-1310: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-21-1310/


Security Bulletin: A vulnerability in filesystem audit logging affects IBM Spectrum Scale.

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-filesystem-audit-logging-affects-ibm-spectrum-scale/


Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-affects-ibm-cloud-pak-system-cve-2020-27221/


Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-server-is-affected-by-openssl-vulnerability-cve-2021-3711/


Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-in-eclipse-jetty-cve-2021-28165/


Security Bulletin: IBM WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-mq-for-hp-nonstop-server-is-affected-by-openssl-vulnerability-cve-2021-3711/


Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse (CVE-2020-27225)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-in-eclipse-cve-2020-27225/


Security Bulletin: IBM MQ can inadvertently display cleartext credentials via diagnostic logs (CVE-2021-38949)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-can-inadvertently-display-cleartext-credentials-via-diagnostic-logs-cve-2021-38949/