End-of-Day report
Timeframe: Donnerstag 18-11-2021 18:00 - Freitag 19-11-2021 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Sicherheitsbedrohungen im Web: Die größten Risiken laut OWASP Top Ten 2021
Die OWASP Top Ten 2021 aktualisiert die Liste der Sicherheitsbedrohungen im Web. Defekte Zugriffsbeschränkungen stehen an erster Stelle.
https://heise.de/-6271591
Qnap veröffentlicht NAS-Updates und deaktiviert aus Sicherheitsgründen eine App
Angreifer könnten Netzwerkspeicher von Qnap attackieren. Der Sicherheitspatch für eine Lücke steht noch aus.
https://heise.de/-6272271
Azure Active Directory: Sicherheitslücke entblößt private Schlüssel
In Azure Automation waren private Schlüssel für jeden Nutzer des AD einsehbar. Obwohl Microsoft das Problem gelöst hat, ist ein Schlüsseltausch angeraten.
https://heise.de/-6272248
ProxyNoShell: Mandiant warnt vor neuen Angriffsmethoden auf Exchange-Server (Nov. 2021)
Cyber-Angreifer verwenden seit Monaten drei bekannte Schwachstellen in Microsofts Exchange Servern, für die es bereits seit Monaten Updates gibt. Trotzdem sind um die 30.000 Microsoft Exchange Sever per Internet erreichbar, die über diese Schwachstellen angreifbar sind. Sicherheitsforscher haben jetzt eine [...]
https://www.borncity.com/blog/2021/11/19/proxynoshell-mandiant-warnt-vor-neuen-angriffsmethoden-auf-exchange-server-nov-2021/
Malware downloaded from PyPI 41,000 times was surprisingly stealthy
Malware infiltrating open source repositories is getting more sophisticated.
https://arstechnica.com/?p=1814211
Android malware BrazKing returns as a stealthier banking trojan
-The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions.
https://www.bleepingcomputer.com/news/security/android-malware-brazking-returns-as-a-stealthier-banking-trojan/
Ransomware Phishing Emails Sneak Through SEGs
The MICROP ransomware spreads via Google Drive and locally stored passwords.
https://threatpost.com/ransomware-phishing-emails-segs/176470/
Downloader Disguised as Excel Add-In (XLL), (Fri, Nov 19th)
At the Internet Storm Center, we like to show how exotic extensions can be used to make victims feel confident to open malicious files. There is an interesting webpage that maintains a list of dangerous extensions used by attackers: filesec.io[1]. The list is regularly updated and here is an example of malicious file that is currently not listed: "XLL". It's not a typo, it's not a "DLL" but close to!
https://isc.sans.edu/diary/rss/28052
New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks
Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers Keyu Man, Xin'an Zhou, and Zhiyun Qian said.
https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html
Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure
Security researchers have checked the webs public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities.
https://go.theregister.com/feed/www.theregister.com/2021/11/19/web_trust_certificates/
Patch now! FatPipe VPN zero-day actively exploited
The FBI has revealed that APT actors have been abusing a zero-day in FatPipes MPVPN, WARP, and IPVPN products since May.
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-fatpipe-vpn-zero-day-actively-exploited/
New Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency Addresses
Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. Weve recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites. In this latest campaign, operators deployed clipboard hijacking code that replaces a [...]
https://www.riskiq.com/blog/external-threat-management/aggah-clipboard-hijack-crypto/
Ransomware is now a giant black hole that is sucking in all other forms of cybercrime
File-encrypting malware is where the money is -- and thats changing the whole online crime ecosystem.
https://www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-sucking-in-all-other-forms-of-cybercrime/
All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients
[...] Team82-s research uncovered four vulnerabilities in popular industrial VPN solutions from vendors HMS Industrial Networks, Siemens, PerFact, and MB connect line.
The vulnerabilities expose users to remote and arbitrary code execution attacks, and also enable attackers to elevate privileges.
All four vendors have either provided a fix in an updated version of their respective products, or suggested mitigations.
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/
Kernel Karnage - Part 4 (Inter(ceptor)mezzo)
To make up for the long wait between parts 2 and 3, we-re releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor.
https://blog.nviso.eu/2021/11/19/kernel-karnage-part-4-interceptormezzo/
Vulnerabilities
Security Bulletin: Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products
A vulnerability in the sed command could allow an authenticated attacker to escape from a restricted shell to obtain sensitive information and cause a denial of service.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sed-affects-ibm-san-volume-controller-ibm-storwize-ibm-spectrum-virtualize-and-ibm-flashsystem-v9000-products-2/
Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2021-29843
IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. The issue is described by CVE-2021-29843.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-server-is-affected-by-vulnerability-cve-2021-29843/
Xen Security Advisory CVE-2021-28710 / XSA-390 - certain VT-d IOMMUs may not work in shared page table mode
Impact: A malicious guest may be able to escalate its privileges to that of the host.
https://xenbits.xen.org/xsa/advisory-390.html
Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-user-after-free.html
Security updates for Friday
Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird).
https://lwn.net/Articles/876528/
QNX-2021-002 Vulnerability in BMP Image Codec Impacts BlackBerry QNX Software Development Platform (SDP)
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000089042
K48382137: Bootstrap vulnerability CVE-2018-14040
https://support.f5.com/csp/article/K48382137
K19785240: Bootstrap vulnerability CVE-2018-14042
https://support.f5.com/csp/article/K19785240