End-of-Day report
Timeframe: Montag 29-11-2021 18:00 - Dienstag 30-11-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Printing Shellz: Sicherheitslücken in HP-Druckern/-Multifunktionsgeräten
Passend zum 30. November, dem Computer Security Day habe ich noch was. Es gibt eine Sicherheitslücke in der Firmware bestimmter HP LaserJet, HP LaserJet Managed, HP PageWide und HP PageWide Managed Produkte. Diese sind möglicherweise für einen Pufferüberlauf anfällig. Das bedeutet, Angreifer könnten Druckaufträge oder Scans abfangen und ggf. die Firmennetzwerke lahmlegen.
https://www.borncity.com/blog/2021/11/30/printing-shellz-sicherheitslcken-in-hp-druckern-multifunktionsgerten/
Gefälschtes BAWAG SMS im Umlauf
Momentan kursieren gefälschte SMS-Nachrichten im Namen der BAWAG. Im SMS mit -BawagPSK- als Absender werden EmpfängerInnen darüber informiert, dass ihr Konto angeblich gesperrt wurde und eine Sicherheitsapp installiert werden muss. Klicken Sie keinesfalls auf den Link. Dieser führt auf eine gefälschte BAWAG-Website!
https://www.watchlist-internet.at/news/gefaelschtes-bawag-sms-im-umlauf/
Malicious USB drives: Still a security problem
A malicious USB drive dropped in a parking lot - this image has become a bit of a trope in IT security circles. Still, the threat is very real and more relevant than ever.
https://www.gdatasoftware.com/blog/2021/11/usb-drives-still-a-danger
What We-ve Learned About SSH Brute Force Attacks
The first time I encountered brute force attacks I was a hosting specialist who received calls from frustrated site owners that wanted to know who-d gained access to their server. Many of them didn-t understand the importance of a password-s character strength, or how frequent attacks on -root- are as a username, including myself at one point in time. I-ve learned more about SSH Brute Force attacks throughout my years at Sucuri.
https://blog.sucuri.net/2021/11/what-weve-learned-about-ssh-brute-force-attacks.html
300.000+ infections via Droppers on Google Play Store
In this blog we will discuss the recent techniques used to spread Android banking trojans via Google Play (MITRE T1475) resulting in significant financial loss for targeted banks. We will also discuss the, sometimes forgotten, by-product of collecting contacts and keystrokes by Banking trojans, resulting in severe data leakage.
https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html
Sabbath Ransomware Operators Target Critical Infrastructure
Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.
https://www.securityweek.com/sabbath-ransomware-operators-target-critical-infrastructure
Yanluowang: Further Insights on New Ransomware Threat
At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
Kernel Karnage - Part 5 (I/O & Callbacks)
After showing interceptor-s options, it-s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C.
https://blog.nviso.eu/2021/11/30/kernel-karnage-part-5-i-o-callbacks/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (samba), Fedora (kernel), openSUSE (netcdf and tor), SUSE (netcdf and python-Pygments), and Ubuntu (imagemagick).
https://lwn.net/Articles/877186/
ZDI-21-1371: (0Day) Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1371/
ZDI-21-1370: (0Day) Esri ArcReader PMF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1370/
Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
https://www.cert-bund.de/advisoryshort/CB-K21-1244
Cross-Site Request Forgery im Team Password Manager (SYSS-2021-059)
https://www.syss.de/pentest-blog/cross-site-request-forgery-im-team-password-manager-syss-2021-059
Host Header Poisoning im Team Password Manager (SYSS-2021-060)
https://www.syss.de/pentest-blog/host-header-poisoning-im-team-password-manager-syss-2021-060
Advisory: Vulnerabilities in B&R Automation Studio and PVI Windows Services
https://www.br-automation.com/downloads_br_productcatalogue/assets/1636745459964-en-original-1.0.pdf
Advisory: Number:Jack in B&R Products
https://www.br-automation.com/downloads_br_productcatalogue/assets/1636745459972-en-original-1.0.pdf
Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2019-17571)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-may-affect-cram-social-program-management-cve-2019-17571/
Security Bulletin: A Security Vulnerability in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-ibm-websphere-application-server-liberty-affect-ibm-lks-administration-and-reporting-tool-and-its-agent/
Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2021-38999)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-sensitive-information-disclosure-vulnerability-cve-2021-38999/
Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2021-35517, CVE-2021-36090)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-application-server-liberty-affect-ibm-operations-analytics-log-analysis-cve-2021-35517-cve-2021-36090/
Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-http-server-powered-by-apache-for-i/
Security Bulletin: Publicly disclosed vulnerability in GNU Binutils affects IBM Netezza Performance Server
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-in-gnu-binutils-affects-ibm-netezza-performance-server/
Security Bulletin: IBM MQ Appliance is affected by a code injection vulnerability (CVE-2021-38967)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-code-injection-vulnerability-cve-2021-38967/
Security Bulletin: A Security Vulnerability in IBM Java Runtime affects IBM License Key Server Administration and Reporting Tool and its Agent
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-ibm-java-runtime-affects-ibm-license-key-server-administration-and-reporting-tool-and-its-agent/
Security Bulletin: IBM MQ Appliance is affected by a disclosure of sensitive information vulnerability (CVE-2021-39000)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-disclosure-of-sensitive-information-vulnerability-cve-2021-39000/