End-of-Day report
Timeframe: Freitag 19-03-2021 18:00 - Montag 22-03-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
DDoS booters now abuse DTLS servers to amplify attacks
DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks.
https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/
Microsoft Exchange servers now targeted by BlackKingdom ransomware
Another ransomware operation known as BlackKingdom is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers.
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-now-targeted-by-blackkingdom-ransomware/
Office 365 Phishing Attack Targets Financial Execs
Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials.
https://threatpost.com/office-365-phishing-attack-financial-execs/164925/
Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online
Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online [...]
https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html
Multi-factor Authentication. Reset MFA you say?
MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don-t confuse it with 2SV... Anyway, when we-re red teaming, MFA [...]
https://www.pentestpartners.com/security-blog/multi-factor-authentication-reset-mfa-you-say/
Auf Willhaben inseriert? Vorsicht vor mob-willhaben.at SMS!
Zahlreiche Willhaben-UserInnen wenden sich derzeit an die Watchlist Internet, weil sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Das Gemeine an der Sache: Die Personen bieten gerade tatsächlich Waren auf Willhaben an. In der SMS wird meist behauptet, jemand habe für die Ware bezahlt. Ein enhaltener Link führt auf eine gefälschte Willhaben-Seite, die Daten abgreifen und einen Trojaner installieren möchte.
https://www.watchlist-internet.at/news/auf-willhaben-inseriert-vorsicht-vor-mob-willhabenat-sms/
Metamorfo/Mekotio Banking Trojan Uses AutoHotKey Scripting
The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe. This trojan is one that makes use of a little known scripting language known as AutoHotKey (AHK).
https://exchange.xforce.ibmcloud.com/collection/6e934f1121d09aff346710499c02e8e4
Vulnerabilities
ZDI-21-342: Samsung Galaxy S20 libimagecodec Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Samsung Galaxy S20. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-21-342/
Apache OFBiz: Update beseitigt Remote-Lücke aus Open-Source-ERP-Software
Die quelloffene Enterprise Resource Planning-Software OFBiz war aus der Ferne angreifbar. Eine abgesicherte Version und ein Patch stehen bereit.
https://heise.de/-5994429
Security updates for Monday
Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and [...]
https://lwn.net/Articles/850068/
Adobe Patches Critical ColdFusion Security Flaw
Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the platform used for building and deploying mobile and web apps.
https://www.securityweek.com/adobe-patches-critical-coldfusion-security-flaw
TMM vulnerability CVE-2021-23007
https://support.f5.com/csp/article/K37451543
Atlassian Jira Software: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0297
UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS)
https://jvn.jp/en/jp/JVN12737530/
Security updates available in Foxit Reader 10.1.3, Foxit PhantomPDF 10.1.3 and 3D Plugin Beta 10.1.3.37598
https://www.foxitsoftware.com/support/security-bulletins.html
Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-server-is-affected-by-openssl-vulnerabilities-cve-2021-23839-cve-2021-23840-and-cve-2021-23841/
Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities-7/
Security Bulletin: Websphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2020-5016)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-cve-2020-5016-2/
Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerable-to-a-buffer-overflow-cve-2020-5025-4/
Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-4/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14782)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-for-multiplatforms-oct-2020-cpu-cve-2020-14782/
Security Bulletin: A vulnerability in IBM® SDK, Java- Technology Edition affects IBM Elastic Storage System
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sdk-java-technology-edition-affects-ibm-elastic-storage-system/
Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-cve-2020-5024-3/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-6/
Security Bulletin: Vulnerability in Apache Struts framework affects IBM Spectrum Symphony
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-struts-framework-affects-ibm-spectrum-symphony/