Tageszusammenfassung - 19.02.2021

End-of-Day report

Timeframe: Donnerstag 18-02-2021 18:00 - Freitag 19-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl

News

RIPE NCC Internet Registry discloses SSO credential stuffing attack

RIPE NCC is warning members that they suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.

https://www.bleepingcomputer.com/news/security/ripe-ncc-internet-registry-discloses-sso-credential-stuffing-attack/


Microsoft: Solarwinds-Angriffe gingen nach Auffliegen weiter

Microsoft bestätigt Angriffe der Solarwinds-Hacker bis in den Januar. Die Angreifer konnten zudem Quellcode herunterladen.

https://www.golem.de/news/microsoft-solarwinds-angriffe-gingen-nach-auffliegen-weiter-2102-154339-rss.html


Router Security

This report is six months old, and I don-t know anything about the organization that produced it, but it has some alarming data about router security.Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years.

https://www.schneier.com/blog/archives/2021/02/router-security.html


myMail Manages Your Mailbox- in a Strange Way!

myMail is a popular (10M+ downloads!) alternative email client for mobile devices. Available for iOS and Android, it is a powerful email client compatible with most of the mail providers (POP3/IMAP, Gmail, Yahoo!, Outlook, and even ActiveSync).

https://blog.rootshell.be/2021/02/19/mymail-manages-your-mailbox-in-a-strange-way/


Dynamic Data Exchange (DDE) is Back in the Wild?, (Fri, Feb 19th)

DDE or "Dynamic Data Exchange" is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects.

https://isc.sans.edu/diary/rss/27116


Kriminelle versuchen an Ihre Microsoft-Zugangsdaten zu kommen

Gerade durch das vermehrte Arbeiten im Home-Office werden Absprachen und Planungen immer stärker in die digitale Welt verlagert. Der -Microsoft Planner- ist ein oft genutztes Werkzeug, um den Überblick zu behalten - das wissen auch BetrügerInnen. Denn im Namen des -Microsoft Planner- verschicken Kriminelle derzeit E-Mails in der Hoffnung, dass die EmpfängerInnen Ihre Microsoft-Zugangsdaten preisgeben.

https://www.watchlist-internet.at/news/kriminelle-versuchen-an-ihre-microsoft-zugangsdaten-zu-kommen/


IronNetInjector: Turla-s New Malware Loading Tool

IronPython has been used for malicious purposes before, but in its new malware loading tool IronNetInjector, threat group Turla uses it in a new way.

https://unit42.paloaltonetworks.com/ironnetinjector/


SectopRAT Adds Encrypted Communication

SectopRAT first appeared in 2019, but a recent version discovered by G DATA shows it has evolved since original analysis.

https://exchange.xforce.ibmcloud.com/collection/1c75b182cb0446128ac95b0e49cc5a26

Vulnerabilities

Security Advisory: Privilege Management for Unix & Linux (PMUL) Basic and Privilege Management for Mac (PMM) Affected by Sudo Vulnerability

-On January 26, 2021, the Qualys research team disclosed a heap overflow vulnerability (CVE-2021-3156) within sudo that allows any unprivileged user to gain root privileges on Linux without requiring a password. BeyondTrust PBsudo/Privilege Management for Unix & Linux Basic is affected by this CVE. Apple also acknowledged and released updates to macOS for this CVE on Feb 10, 2021. Based on macOS releases, we confirmed that Privilege Management for Mac (PMM) is also impacted by this

https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability


VU#240785: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs

OverviewAtlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.DescriptionThe Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.ImpactBy placing a specially-crafted DLL

https://kb.cert.org/vuls/id/240785


Ceritude Securiy Advisory - CSA-2021-001: CSRF in Apache MyFaces (CVE-2021-26296)

Apache MyFaces is an open-source implementation of JSF. During a quick evaluation, Certitude found that the default CSRF protection of Apache MyFaces was insufficient as the CSRF tokens the framework generates can be guessed by an attacker.

https://certitude.consulting/advisories/CSA_2021_001_Cross_Site_Request_Forgery_in_Apache_MyFaces.md.txt


Security updates for Friday

Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro).

https://lwn.net/Articles/846787/


Security Bulletin: WebSphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2021-20354)

https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-cve-2021-20354/


Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-5/


Security Bulletin: Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstream-apache-http-jackson-databind-openssl-and-node-js-affect-ibm-spectrum-control/


OpenSSL vulnerability CVE-2021-23840

https://support.f5.com/csp/article/K24624116


OpenSSL vulnerability CVE-2021-23839

https://support.f5.com/csp/article/K61903372


OpenSSL vulnerability CVE-2021-23841

https://support.f5.com/csp/article/K52833764


cURL vulnerability CVE-2020-8284

https://support.f5.com/csp/article/K63525058


cURL vulnerability CVE-2020-8285

https://support.f5.com/csp/article/K61186963


cURL vulnerability CVE-2020-8286

https://support.f5.com/csp/article/K15402727


Johnson Controls Metasys Reporting Engine (MRE) Web Services

https://us-cert.cisa.gov/ics/advisories/icsa-21-049-01


Mitsubishi Electric FA engineering software products

https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02