End-of-Day report
Timeframe: Montag 15-03-2021 18:30 - Dienstag 16-03-2021 18:30
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
FBI warns of escalating Pysa ransomware attacks on education orgs
The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa-ransomware-attacks-on-education-orgs/
One-Click Microsoft Exchange On-Premises Mitigation Tool - March 2021
We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that [...]
https://msrc-blog.microsoft.com:443/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
Videokonferenzen: Damit Vertrauliches vertraulich bleibt
Durch die Corona-Pandemie hat die Nutzung von Videokonferenzlösungen in Verwaltung und Wirtschaft erheblich zugenommen. Die Systeme dienen dabei nicht nur der Kommunikation, sondern auch dem gemeinsamen Erstellen und Bearbeiten von Dokumenten.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/210316_Mindeststandards-Videokonferenzen.html
Eine Rasterbrille auf ayurreadpro.com kaufen? - Wir raten davon ab!
Wer online nach Möglichkeiten zur Verbesserung der Sehkraft oder Methoden zum Augentraining sucht, stoßt höchstwahrscheinlich auf Rasterbrillen. Rasterbrillen sind schwarze Kunststoffbrillen mit Lochmuster in den -Gläsern-, die angeblich Sehschwächen vorbeugen und verbessern. Für die Wirksamkeit der knapp 60 Euro-Brille gibt es jedoch keine wissenschaftlich bestätigten Studien. Im Extremfall könnten sogar ernstzunehmende Schäden [...]
https://www.watchlist-internet.at/news/eine-rasterbrille-auf-ayurreadprocom-kaufen-wir-raten-davon-ab/
Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th)
Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.
https://isc.sans.edu/diary/rss/27204
Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks
A new research has yielded yet another means to pilfer sensitive data by exploiting whats the first "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this [...]
https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html
Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution
We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software-s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection.
https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonitor-for-remote-code-execution/
Hackers are targeting telecoms companies to steal 5G secrets
Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world.
https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-steal-5g-secrets/
Exploring my doorbell
Ive talked about my doorbell before, but started looking at it again this week because sometimes it simply doesnt send notifications to my Home Assistant setup - the push notifications appear on my phone, but the doorbell simply doesnt trigger the HTTP callback its meant to[1]. This is obviously suboptimal, but its also tricky to debug a device when you have no access to it.
https://mjg59.dreamwidth.org/56345.html
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, [...]
https://lwn.net/Articles/849501/
This years-old Microsoft Office vulnerability is still popular with hackers, so patch now
Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware.
https://www.zdnet.com/article/this-years-old-microsoft-office-vulnerability-is-still-popular-with-hackers-so-patch-now/
Aktuelle Zahlen zu den Exchange Schwachstellen in Österreich
TL;DR
1074 Exchange Server nach wie vor ungepatched (Stand: 2021-03-16). Nach den ersten aktiven Scans zwischen dem 9. und 12. März waren es noch 2236.
Bisher wurden 465 Webshells von Shadowserver und Kryptos Logic in Österreich gefunden.
Die initiale Patch-Disziplin war anscheinend hoch.
Wenn möglich, Microsofts Script unter https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt zum Finden und Mitigieren von Webshells [...]
https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwachstellen-in-osterreich
Advantech WebAccess/SCADA
This advisory contains mitigations for a Cross-site Scripting vulnerability in Advantech WebAccess/SCADA browser-based software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-01
GE UR family
This advisory contains mitigations for multiple vulnerabilities in GE UR family of protection and control relays.
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02
Hitachi ABB Power Grids AFS Series
This advisory contains mitigations for an Infinite Loop vulnerability in Hitachi ABB Power Grids AFS Series products.
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-03
BD Alaris 8015 PC Unit (Update B)
[...] This advisory contains compensating controls to reduce the risk of exploitation of insufficiently protected credentials and security features vulnerabilities in BD Alaris 8015 Point of Care units, which provide a common user interface for programming [...]
https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02
DP API encryption ineffective in Windows containers: Publicly Available Cryptographic Keys (CVE-2021-1645)
We recently discovered a vulnerability in the DP API key management of Windows containers. This vulnerability was assigned CVE-2021-1645 by Microsoft [1] and allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. This vulnerability was discovered in close cooperation with SignPath [2].
https://certitude.consulting/blog/en/windows-docker-dp-api-vulnerability-cve-2021-1645/
Apache Tomcat vulnerability CVE-2021-25329
https://support.f5.com/csp/article/K73648110
Apache Tomcat vulnerability CVE-2021-25122
https://support.f5.com/csp/article/K00174195
TYPO3 Extensions: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0276
TYPO3 Core: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0275
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11.
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-6/
Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-affect-powersc-cve-2020-8284-cve-2020-8285-and-cve-2020-8286/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-aix-5/
Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI.
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-spectrum-scale-gui-2/
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in Libxml2
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-management-module-cmm-is-affected-by-vulnerabilities-in-libxml2/
Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into log files (CVE-2020-4851)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-spectrum-scale-allows-to-inject-malicious-content-into-log-files-cve-2020-4851/
Security Bulletin: A vulnerability in IBM Java SE affects IBM Spectrum Scale
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-se-affects-ibm-spectrum-scale/