Tageszusammenfassung - 03.12.2021

End-of-Day report

Timeframe: Donnerstag 02-12-2021 18:00 - Freitag 03-12-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl

News

Key Characteristics of Malicious Domains: Report

Newer top-level domains and certain hosting providers are frequent sources of malicious content, while newly registered domains and free SSL certificates are not any more likely than average to be risky, new research shows.

https://www.darkreading.com/threat-intelligence/research-outs-the-providers-more-likely-to-host-malicious-content


Vorsicht: -Neue Weihnachts-Emoji für Whatsapp- ist eine Falle

Über eine WhatsApp-Nachricht, die Weihnachts-Emoji verspricht, werden Abo-Fallen und Schadsoftware verbreitet.

https://futurezone.at/apps/vorsicht-neue-weihnachts-emoji-fuer-whatsapp-falle/401828500


The UPX Packer Will Never Die!, (Fri, Dec 3rd)

Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code.

https://isc.sans.edu/diary/rss/28096


Exploring Container Security: A Storage Vulnerability Deep Dive

Recently, the GKE Security team discovered a high severity vulnerability in Kubernetes (CVE-2021-25741) that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.

https://security.googleblog.com/2021/12/exploring-container-security-storage.html


Analysis: AWS SageMaker Jupyter Notebook Instance Takeover

During our research about security in data science tools we decided to look at Amazon SageMaker which is a fully managed machine learning service in AWS. Here is the long and short of our recent discovery. [...] Using the access token, the attacker can read data from S3 buckets, create VPC endpoints and more actions that are allowed by the SageMaker execution role and the -AmazonSageMakerFullAccess- policy. We reported the vulnerability we discovered to the AWS security team [...]

https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability


Beispiele für Viren-Mails nach Übernahme eines Exchange-Servers

Und schon sind wir beim dritten Türchen im Security-Adventskalender meines Blogs. Ich hatte ja hier im Blog mehrfach gewarnt, dass ungepatchte Exchange-Server übernommen und zum Spam-Versand missbraucht werden. Ein Blog-Leser hat mir nun eine kurze Info zukommen lassen (danke), weil er einen kompromittierten Exchange-Server gefunden hat, der kompromittiert war und infizierte Spam-Mails verschickte.

https://www.borncity.com/blog/2021/12/03/beispiele-fr-viren-mails-nach-bernahme-eines-exchange-servers/


Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension

Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems.

https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html


Mehrwertdienste versuchen Sie in die Abo-Falle zu locken!

Einmal die falsche App am Handy installiert, einen falschen Link geöffnet oder auf einen vermeintlich harmlosen Button geklickt: Am Smartphone kann es sehr schnell passieren, dass Sie in einer Abo-Falle landen und Ihre Telefonrechnung plötzlich deutlich höher ausfällt als gewohnt. Doch keine Sorge: Auch wenn bereits Geld abgebucht wurde, können Sie die Rechnung bei Ihrem Mobilfunkanbieter beanstanden.

https://www.watchlist-internet.at/news/mehrwertdienste-versuchen-sie-in-die-abo-falle-zu-locken/

Vulnerabilities

Researchers discover 14 new data-stealing web browser attacks

IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of XS-Leak cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox.

https://www.bleepingcomputer.com/news/security/researchers-discover-14-new-data-stealing-web-browser-attacks/


CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho


IBM Security Bulletins 2021-12-02

IBM Integration Bus, Power System, IBM Cloud Pak System, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Cognos Analytics

https://www.ibm.com/blogs/psirt/


Technical Advisory - Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)

The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The -Interfaces- Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests.

https://research.nccgroup.com/2021/12/02/technical-advisory-authenticated-sql-injection-in-soap-request-cve-2021-44050/


Free Micropatches for the "InstallerFileTakeOver" 0day

Wow, this is the third 0day found by the same researcher we're patching in the last two weeks. Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation [...]

https://blog.0patch.com/2021/12/free-micropatches-for.html


Security updates for Friday

Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14).

https://lwn.net/Articles/877582/


Schneider Electric SESU

This advisory contains mitigations for an Insufficient Entropy vulnerability in the Schneider Electric Software Update.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-01


Johnson Controls Entrapass

This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Johnson Controls Entrapass security management software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-02


Distributed Data Systems WebHMI

This advisory contains mitigations for Authentication Bypass by Primary Weakness, and Unrestricted Upload of File with Dangerous Type vulnerabilities in Distributed Data Systems WebHMI SCADA systems.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03


Hitachi Energy RTU500 series BCI

This advisory contains mitigations for an Improper Input Validation vulnerability in Hitachi Energy RTU500 series BCI remote terminal units.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-04


Hitachi Energy Relion 670/650/SAM600-IO

This advisory contains mitigations for an Insecure Default Initialization of Resource vulnerability in Hitachi Energy Relion 670/650/SAM600-IO Intelligent Electronic Devices (IEDs).

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-05


Hitachi Energy APM Edge

This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in Hitachi Energy Transformer Asset Performance Management (APM) Edge software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-06


Hitachi Energy PCM600 Update Manager

This advisory contains mitigations for a Improper Certificate Validation vulnerability in Hitachi Energy PCM600 Update Manager protection and control IED software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-07


Hitachi Energy RTU500 series

This advisory contains mitigations for Observable Discrepancy, Buffer Over-read, and Out-of-bounds Read vulnerabilities in Hitachi Energy RTU500 remote terminal units.

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-08