End-of-Day report
Timeframe: Montag 15-11-2021 18:00 - Dienstag 16-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
Malware: Emotet ist zurück
Sicherheitsforscher haben eine neue Variante von Emotet entdeckt. Noch wird der Schädling von einer anderen Malware nachgeladen.
https://www.golem.de/news/malware-emotet-ist-zurueck-2111-161124-rss.html
Windows Sonder-Updates gegen DC-Authentifizierungsprobleme und Druckprobleme
Die Sicherheitsupdates vom November für Windows verursachen teils Authentifizierungsprobleme bei Domain Controllern sowie Druckprobleme. Microsoft patcht nach.
https://heise.de/-6267784
Fake Ransomware Infection Spooks Website Owners
Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for -FOR RESTORE SEND 0.1 BITCOIN- were sitting at 6 last week and increased to 291 at the time of writing this.
https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html
GitHub Confirms Another Major NPM Security Defect
Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain.
https://www.securityweek.com/github-confirms-another-major-npm-security-defect
Black Friday: Vorsicht vor Fake-Angeboten
Am 26. November 2021 ist Black Friday. Und darauf folgt am 29. November schon der Cyber Monday - für Schnäppchenjäger wahre Shopping-Feiertage. Wir raten aber zur Vorsicht: Nicht nur seriöse Anbieter locken mit günstigen Preisen und Rabatten, auch Fake-Shops werben mit Black Friday Angeboten.
https://www.watchlist-internet.at/news/black-friday-vorsicht-vor-fake-angeboten/
An update on the state of the NIS2 draft
This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th. This is not a complete review of the current state of the NIS2 discussions.
https://cert.at/en/blog/2021/11/an-update-on-the-state-of-the-nis2-draft
New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks
[...] today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.
https://us-cert.cisa.gov/ncas/current-activity/2021/11/16/new-federal-government-cybersecurity-incident-and-vulnerability
A new Android banking trojan named SharkBot is makings its presence felt
Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts.
https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-makings-its-presence-felt/
New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin [...]
https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-attack-puts-popular-admin-tools-at-risk/
Kernel Karnage - Part 3 (Challenge Accepted)
[...] The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that didn-t impress our blue team, so I received a challenge to bypass $vendor2. I have to admit, after trying all week to get around the protections, $vendor2 is definitely a bigger beast to tame.
https://blog.nviso.eu/2021/11/16/kernel-karnage-part-3-challenge-accepted/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim).
https://lwn.net/Articles/876227/
Synology-SA-21:28 Mail Station
A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station.
https://www.synology.com/en-global/support/security/Synology_SA_21_28
AMD Windows 10-Grafiktreiber mit Schwachstellen (Nov. 2021)
Nutzer mit AMD-Grafikkarten und Windows 10 sollten sich mit dem Thema Aktualisierung von AMD-Grafiktreibern befassten. Der Hersteller hat eingestanden, dass seine Windows 10-Grafiktreiber zahlreiche Sicherheitslücken aufweisen. Einige Schwachstellen (z.B. im Grafiktreiber) werden als sicherheitstechnisch Hoch eingestuft.
https://www.borncity.com/blog/2021/11/16/amd-windows-10-treiber-mit-schwachstellen/
WAGO: Denial of Service Vulnerability in CODESYS Runtime 2.3
https://cert.vde.com/de/advisories/VDE-2021-049/
WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack.
https://cert.vde.com/de/advisories/VDE-2021-050/
WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation
https://cert.vde.com/de/advisories/VDE-2021-056/
Grafana: Schwachstelle ermöglicht Privilegieneskalation
https://www.cert-bund.de/advisoryshort/CB-K21-1205
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Denial of Service
https://www.cert-bund.de/advisoryshort/CB-K21-1207
ZDI-21-1312: Open Design Alliance (ODA) ODAViewer DWG File Parsing Use-After-Free Remote Code Execution Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-1312/
ZDI-21-1311: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-1311/
ZDI-21-1310: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-1310/
Security Bulletin: A vulnerability in filesystem audit logging affects IBM Spectrum Scale.
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-filesystem-audit-logging-affects-ibm-spectrum-scale/
Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-affects-ibm-cloud-pak-system-cve-2020-27221/
Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-server-is-affected-by-openssl-vulnerability-cve-2021-3711/
Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-in-eclipse-jetty-cve-2021-28165/
Security Bulletin: IBM WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-mq-for-hp-nonstop-server-is-affected-by-openssl-vulnerability-cve-2021-3711/
Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse (CVE-2020-27225)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-in-eclipse-cve-2020-27225/
Security Bulletin: IBM MQ can inadvertently display cleartext credentials via diagnostic logs (CVE-2021-38949)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-can-inadvertently-display-cleartext-credentials-via-diagnostic-logs-cve-2021-38949/