Tageszusammenfassung - 17.02.2021

End-of-Day report

Timeframe: Dienstag 16-02-2021 18:00 - Mittwoch 17-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner

News

Masslogger Swipes Microsoft Outlook, Google Chrome Credentials

A new version of the Masslogger trojan has been targeting Windows users - now using a compiled HTML (CHM) file format to start the infection chain.

https://threatpost.com/masslogger-microsoft-outlook-google-chrome/164011/

The new "LinkedInSecureMessage" ?, (Wed, Feb 17th)

With all the talk of secure messenger applications lately, I bet you-d like to have just one more, right? In the past few weeks, we-ve noticed a new variant on a typical cred-stealer, in this case offering itself up as a new, secure messaging format used over the career website LinkedIn.

https://isc.sans.edu/diary/rss/27110

Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping

A severe security vulnerability in a popular video calling software development kit (SDK) could have allowed an attacker to spy on ongoing private video and audio calls. Thats according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.ios SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First's Backline; and in the Android app that's paired with "temi" personal robot.

https://thehackernews.com/2021/02/agora-sdk-bug-left-several-video.html

North Korean Malicious Cyber Activity: AppleJeus

Original release date: February 17, 2021CISA, the Federal Bureau of Investigation, and the Department of the Treasury have released a Joint Cybersecurity Advisory and seven Malware Analysis Reports (MARs) on the North Korean government-s dissemination of malware that facilitates the theft of cryptocurrency-referred to by the U.S. Government as -AppleJeus.-The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

https://us-cert.cisa.gov/ncas/current-activity/2021/02/17/north-korean-malicious-cyber-activity-applejeus

Remotely Exploitable 0day in Internet Explorer Gets a Free Micropatch

On February 4, 2021, security researchers at ENKI, a South Korean security consultancy, published a blog post detailing an unpatched vulnerability in Internet Explorer. This "0day" vulnerability was used in an attack campaign against various security researchers, including ENKI researchers, who noticed the attack and took the exploit apart to extract the vulnerability information. ENKI researchers kindly shared their proof of concept with us, so we could quickly start analyzing the vulnerability and create a micropatch for it.

https://blog.0patch.com/2021/02/remotely-exploitable-0day-in-internet.html

Vorsicht bei zu günstigen Angeboten im Facebook-Marketplace!

Der Marketplace von Facebook ermöglicht nicht nur privaten VerkäuferInnen, neue und gebrauchte Produkte anzubieten, sondern auch kommerziellen HändlerInnen. Interessierte KäuferInnen sollten die Anzeigen und die dahinterstehenden Facebook-Profile jedoch genau überprüfen. Denn wie auch bei anderen Kleinanzeigenplattformen kommt es auf Facebook immer wieder zu Betrug. Wir zeigen Ihnen wie Sie betrügerische Angebote entlarven können.

https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-angeboten-im-facebook-marketplace/

Vulnerabilities

QNAP patches critical vulnerability in Surveillance Station NAS app

QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software.

https://www.bleepingcomputer.com/news/security/qnap-patches-critical-vulnerability-in-surveillance-station-nas-app/

OpenSSL Security Advisory [16 February 2021]

Severity Moderate: Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) Severity Low: Incorrect SSLv2 rollback protection (CVE-2021-23839) Severity Low: Integer overflow in CipherUpdate (CVE-2021-23840)

https://www.openssl.org/news/secadv/20210216.txt

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations.

https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/

Security updates for Wednesday

Security updates have been issued by Debian (openssl and ruby-mechanize), Fedora (chromium, jasper, roundcubemail, spice-vdagent, and webkit2gtk3), openSUSE (python-bottle), Oracle (dotnet, kernel, and kernel-container), Red Hat (redhat-ds:11, RHDM, and RHPAM), SUSE (jasper, kernel, and screen), and Ubuntu (thunderbird and wpa).

https://lwn.net/Articles/846476/

Cisco StarOS Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-StarOS-DoS-RLLvGFJj

Cisco Webex Meetings Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-Lz6HbGCt

Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wda-pt-msh-6LWOcZ5

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-info-exp-8RsuEu8S

Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-hijac-JrcTOQMC

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for AIX and Linux - July 2020.

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-rational-developer-for-aix-and-linux-july-2020/

Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-6/

Security Bulletin: OpenSSL vulnerability affects IBM Engineering Workflow Management

https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-affects-ibm-engineering-workflow-management/