End-of-Day report
Timeframe: Dienstag 23-02-2021 18:00 - Mittwoch 24-02-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Finnish IT services giant TietoEVRY discloses ransomware attack
Finnish IT services giant TietoEVRY has suffered a ransomware attack that forced them to disconnect clients services.
https://www.bleepingcomputer.com/news/security/finnish-it-services-giant-tietoevry-discloses-ransomware-attack/
Cyberkriminelle attackieren Krankenhäuser und Impfstoffhersteller
Die Corona-Pandemie wurde von Kriminellen genutzt, um Geld zu erpressen. Auch die Impfstoff-Lieferketten gerieten ins Visier.
https://futurezone.at/digital-life/ransomware-angriffe-auf-krankenhaeuser-nehmen-stark-zu/401197883
Microsoft Lures Populate Half of Credential-Swiping Phishing Emails
As more organizations migrate to Office 365, cybercriminals are using Outlook, Teams and other Microsoft-themed phishing lures to swipe user credentials.
https://threatpost.com/microsoft-lures-credential-swiping-phishing-emails/164207/
Malspam pushes GuLoader for Remcos RAT, (Wed, Feb 24th)
Malicious spam (malspam) pushing GuLoader malware has been around for over a year now. GuLoader is a file downloader first observed in December 2019, and it has been used to distribute a wide variety of malware.
https://isc.sans.edu/diary/rss/27132
Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks
New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks to deliver malware and exploit the accounting software.
https://thehackernews.com/2021/02/experts-warns-of-notable-increase-in.html
2020 ICS Cybersecurity Year in Review
The Dragos YIR report is an annual analysis of ICS/OT focused cyber threats, vulnerabilities, assessments, and incident response insights.
https://www.dragos.com/blog/industry-news/2020-ics-cybersecurity-year-in-review/
New LazyScripter Hacking Group Targets Airlines
A recently identified threat actor that remained unnoticed for roughly two years appears focused on the targeting of airlines that are using the BSPLink financial settlement software made by the International Air Transport Association (IATA).
https://www.securityweek.com/new-lazyscripter-hacking-group-targets-airlines
An Analysis of MassLogger v3
Researchers from Avast have published a report on their analysis of the MassLogger v3 infostealing malware. The analysis focuses on the obfuscation of the final payload.
https://exchange.xforce.ibmcloud.com/collection/8f1c8a4c335e11921fdc7a3f520600fd
Vulnerabilities
Jetzt updaten: Kritische Lücke aus VMware ESXi und vCenter Server beseitigt
Drei Sicherheitslücken mit Einstufungen von "Moderate" bis "Critical" betreffen neben ESXi und vCenter Server indirekt auch Cloud Foundation. Es gibt Updates.
https://heise.de/-5063860
Security updates for Wednesday
Security updates have been issued by openSUSE (firefox and tor), Oracle (stunnel and xterm), Red Hat (virt:8.2 and virt-devel:8.2 and xterm), SUSE (avahi, gnuplot, java-1_7_0-ibm, and pcp), and Ubuntu (openssl).
https://lwn.net/Articles/847240/
Cisco Security Advisories 2021-02-24
3 Critical, 4 High, 5 Medium Severity
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2021%2F02%2F24&firstPublishedEndDate=2021%2F02%2F24
Privilege Escalation via sudo and Linux kernel in Bosch Rexroth Products
BOSCH-SA-372917: Linux kernel versions through 5.10.11 contain weaknesses which allow local users to execute code in the kernel with the potential to escalate privileges. The ctrlX CORE and the IoT Gateway both are shipped with vulnerable versions of those components.
https://psirt.bosch.com/security-advisories/bosch-sa-372917.html
ZDI-21-249: (Pwn2Own) NETGEAR Nighthawk R7800 Heap-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-249/
ZDI-21-248: (Pwn2Own) NETGEAR R7800 udchpd DHCP_REQUEST Command Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-248/
ZDI-21-247: NETGEAR Nighthawk R7800 ready-genie-cloud Insecure Download of Critical Component Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-247/
Security Advisory - Local Privilege Escalation Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210218-01-privilege-en
Security Advisory - Use After Free Vulnerability in Huawei Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-01-uaf-en
Security Advisory - Denial of Service Vulnerability in Huawei Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-03-dos-en
Security Bulletin: Clickjacking vulnerability identified in IBM Dependency Based Build server web UI
https://www.ibm.com/blogs/psirt/security-bulletin-clickjacking-vulnerability-identified-in-ibm-dependency-based-build-server-web-ui/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14797, CVE-2020-14779, CVE-2020-14796)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-messagegateway-cve-2020-14797-cve-2020-14779-cve-2020-14796/
Security Bulletin: A security vulnerability in Node.js nodemailer module affects IBM Cloud Automation Manager.
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-nodemailer-module-affects-ibm-cloud-automation-manager/
Security Bulletin: Multiple CVEs - Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-designer-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-3/
Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-messagegateway/
Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus (CVE-2020-7760)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-integration-bus-cve-2020-7760/
Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4931)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-denial-of-service-vulnerability-cve-2020-4931/
Security Bulletin: OpenLDAP publicly disclosed vulnerabilities affects MessageGateway (CCVE-2020-36230, CVE-2020-36229)
https://www.ibm.com/blogs/psirt/security-bulletin-openldap-publicly-disclosed-vulnerabilities-affects-messagegateway-ccve-2020-36230-cve-2020-36229/
Security Bulletin: IBM Cloud Pak for Security is vulnerable to cookie spoofing (CVE-2019-12749)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-security-is-vulnerable-to-cookie-spoofing-cve-2019-12749/
Security Bulletin: A security vulnerability in Node.js nodemailer module affects IBM Cloud Pak for Multicloud Management.
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-nodemailer-module-affects-ibm-cloud-pak-for-multicloud-management/
Rockwell Automation FactoryTalk Services Platform
https://us-cert.cisa.gov/ics/advisories/icsa-21-054-01
Advantech BB-ESWGP506-2SFP-T
https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02
Advantech Spectre RT Industrial Routers
https://us-cert.cisa.gov/ics/advisories/icsa-21-054-03