End-of-Day report
Timeframe: Mittwoch 31-03-2021 18:00 - Donnerstag 01-04-2021 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Sicherheitslücke: Datenleck bei Ubiquiti war deutlich umfassender
Laut einem Bericht konnten die Angreifer auf Quellcode und Credentials von Ubiquiti zugreifen. Der Netzwerkgerätehersteller widerspricht nicht.
https://www.golem.de/news/sicherheitsluecke-datenleck-bei-ubiquiti-war-deutlich-umfassender-2104-155440-rss.html
Who Contains the Containers?
This is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights into what to look for if you-re researching this area.
https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html
Changes in Sinkhole and Honeypot Report Types and Formats
Over the years, Shadowserver-s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01.
https://www.shadowserver.org/news/changes-in-sinkhole-and-honeypot-report-types-and-formats/
The Importance of Website Backups
Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into the category of precious digital assets
https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html
Back in a Bit: Attacker Use of the Windows Background IntelligentTransfer Service
Microsoft introduced the Background Intelligent Transfer Service (BITS) with Windows XP to simplify and coordinate downloading and uploading large files. Applications and system components, most notably Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal user disruption. [...] As is the case with many technologies, BITS can be used both by legitimate applications and by attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer.
https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-windows-background-intelligent-transfer-service.html
DoS-Lücke in Virtualisierungsplattform Citrix Hypervisor geschlossen
Abgesicherte Versionen von Citrix Hypervisor verhindern Zugriffe auf Host-Systeme.
https://heise.de/-6003757
Report: USB threats to ICS systems have nearly doubled
The latest Honeywell USB Threat Report 2020 indicates that the number of threats specifically targeting Operational Technology systems has nearly doubled from 16% to 28%, while the number of threats capable of disrupting those systems rose from 26% to 59% over the same period.
https://www.tripwire.com/state-of-security/ics-security/report-usb-threats-to-ics-systems-have-nearly-doubled/
Digital Forensics vs. Anti-Digital Forensics: Techniques, Limitations and Recommendations. (arXiv:2103.17028v1 [cs.CR])
The number of cyber attacks has increased tremendously in the last few years. This resulted into both human and financial losses at the individual and organization levels. Recently, cyber-criminals are leveraging new skills and capabilities by employing anti-forensics activities, techniques and tools to cover their tracks and evade any possible detection.
http://arxiv.org/abs/2103.17028
Is your dishwasher trying to kill you?
Does every device in your home really need to be connected to the internet? And could it be turned against you?
https://www.welivesecurity.com/2021/04/01/is-your-dishwasher-trying-kill-you/
CISA Releases Supplemental Direction on Emergency Directive for Microsoft Exchange Server Vulnerabilities
CISA has issued supplemental direction to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities providing additional forensic triage and server hardening, requirements for federal agencies. Specifically, this update directs federal departments and agencies to run newly developed tools - Microsoft-s Test-ProxyLogon.ps1 script and Safety Scanner MSERT - to investigate whether their Microsoft Exchange [...]
https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/cisa-releases-supplemental-direction-emergency-directive-microsoft
Vulnerabilities
ZDI-21-399: (0Day) D-Link DIR-882 HNAP Stack-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-882 routers. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-399/
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021
On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.This advisory will be updated as additional information becomes available.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
Cisco IOS XE Software Fast Reload Vulnerabilities
Version: 1.1
Description: Added Catalyst 3650 switches as affected products.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fast-Zqr6DD5
SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service
Trend Micro has released new patches for Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS). These patches resolve multiple vulnerabilities related to improper access control and incorrect permission assignment privilege escalation as well as insecure file permissions.
https://success.trendmicro.com/solution/000286019
VMSA-2021-0005
VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)
https://www.vmware.com/security/advisories/VMSA-2021-0005.html
VMSA-2021-0004.1 - VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)
2021-03-31: VMSA-2021-0004.1 - Updated advisory with information on vROps 7.0.0 workarounds.
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
Security updates for Thursday
Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin).
https://lwn.net/Articles/851381/
Rockwell Automation FactoryTalk AssetCentre
This advisory contains mitigations for OS Command Injection, Deserialization of Untrusted Data, SQL Injection, and Improperly Restricted Functions vulnerabilities in Rockwell Automation FactoryTalk AssetCentre automation software products.
https://us-cert.cisa.gov/ics/advisories/icsa-21-091-01
Security Advisory - Out of Bounds Write Vulnerability in Huawei Smartphone
https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331-01-p30-en
Security Advisory - Arbitrary Memory Write Vulnerability in Huawei Smart Phone
https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331-01-smartphone-en
March 31, 2021 TNS-2021-06 [R1] Tenable.sc 5.18.0 Fixes One Third-party Vulnerability
https://www.tenable.com/security/tns-2021-06
Atlassian Jira Software: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0334