End-of-Day report
Timeframe: Donnerstag 04-02-2021 18:00 - Freitag 05-02-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Dimitri Robl
News
Hackers steal StormShield firewall source code in data breach
Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the companys support ticket system and steal source code for Stormshield Network Security firewall software.
https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-firewall-source-code-in-data-breach/
Free coffee! Belgian researcher hacks prepaid vending machines
Only try this at home, folks! As easy as it might look, its illegal in the wild, with good reason.
https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-hacks-prepaid-vending-machines/
Stack Canaries - Gingerly Sidestepping the Cage
Tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks.
https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage
[SANS ISC] VBA Macro Trying to Alter the Application Menus
I published the following diary on isc.sans.edu: -VBA Macro Trying to Alter the Application Menus--: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive techniqueThe post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random.
https://blog.rootshell.be/2021/02/05/sans-isc-vba-macro-trying-to-alter-the-application-menus/
Abusing Google Chrome extension syncing for data exfiltration and C&C
I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication.
https://isc.sans.edu/diary/rss/27066
besondereprasente.com: Fordern Sie Ihr Geld zurück!
Obwohl die Webseite besondereprasente.com gar nicht mehr existiert, erhält die Watchlist Internet nach wie vor zahlreiche Meldungen zu diesem Fake-Shop. Der Grund: Wer bei besondereprasente.com bestellt, tappt in eine teure Abo-Falle.
https://www.watchlist-internet.at/news/besondereprasentecom-fordern-sie-ihr-geld-zurueck/
Plex Media servers are being abused for DDoS attacks
Cyber-security firm Netscout warns of new DDoS attack vector.
https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-attacks/
Kasperksy warnt vor Krypto-Scam
Kapersky hat ein neues Scam-System entdeckt, das es mit verlockenden Angeboten von angeblichen neuen Kryptobörsen auf Anwender von Discord abgesehen hat.
https://www.zdnet.de/88393274/kasperksy-warnt-vor-krypto-scam/
Vulnerabilities
Zero-Day im Chrome-Browser: Jetzt Update einspielen
Eine aktiv ausgenutzte Schwachstelle im Chrome-Browser gefährdet die meisten Betriebssysteme. Google hat ein Update.
https://heise.de/-5046783
Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style
On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites.
https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sites-must-find-alternative-for-contact-form-7-style/
Security updates for Friday
Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna).
https://lwn.net/Articles/845191/
WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
https://jvn.jp/en/jp/JVN50470170/
Security Bulletin: Watson Machine Learning Community Edition docker containers have been updated to fix a security issue in libcurl
https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-community-edition-docker-containers-have-been-updated-to-fix-a-security-issue-in-libcurl/
Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect Connect:Direct Web Services
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-connectdirect-web-services/
Security Bulletin: TensorFlow in Watson Machine Learning 1.6.2 and 1.7.0 has been patched for various security issues in nanopb.
https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-machine-learning-1-6-2-and-1-7-0-has-been-patched-for-various-security-issues-in-nanopb/
Security Bulletin: IBM API Connect is impacted by insecure web server configuration (CVE-2020-4825)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-insecure-web-server-configuration-cve-2020-4825/
Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues.
https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-machine-learning-community-edition-1-6-2-and-1-7-0-has-been-patched-for-various-security-issues-2/
Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console
https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-email-is-affected-by-a-embedded-websphere-application-server-admin-console/
Security Bulletin: Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websphere-liberty-server-wlp-affects-ibm-cloud-application-business-insights/
Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC.
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-go-affect-ibm-cloud-pak-for-multicloud-management-hybrid-grc/
Security Bulletin: PowerHA System Mirror for AIX vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-powerha-system-mirror-for-aix-vulnerability/
Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-and-ibm-integration-bus-cve-2020-7754/