Tageszusammenfassung - 01.04.2021

End-of-Day report

Timeframe: Mittwoch 31-03-2021 18:00 - Donnerstag 01-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a


Sicherheitslücke: Datenleck bei Ubiquiti war deutlich umfassender

Laut einem Bericht konnten die Angreifer auf Quellcode und Credentials von Ubiquiti zugreifen. Der Netzwerkgerätehersteller widerspricht nicht.


Who Contains the Containers?

This is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights into what to look for if you-re researching this area.


Changes in Sinkhole and Honeypot Report Types and Formats

Over the years, Shadowserver-s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01.


The Importance of Website Backups

Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into the category of precious digital assets


Back in a Bit: Attacker Use of the Windows Background IntelligentTransfer Service

Microsoft introduced the Background Intelligent Transfer Service (BITS) with Windows XP to simplify and coordinate downloading and uploading large files. Applications and system components, most notably Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal user disruption. [...] As is the case with many technologies, BITS can be used both by legitimate applications and by attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer.


DoS-Lücke in Virtualisierungsplattform Citrix Hypervisor geschlossen

Abgesicherte Versionen von Citrix Hypervisor verhindern Zugriffe auf Host-Systeme.


Report: USB threats to ICS systems have nearly doubled

The latest Honeywell USB Threat Report 2020 indicates that the number of threats specifically targeting Operational Technology systems has nearly doubled from 16% to 28%, while the number of threats capable of disrupting those systems rose from 26% to 59% over the same period.


Digital Forensics vs. Anti-Digital Forensics: Techniques, Limitations and Recommendations. (arXiv:2103.17028v1 [cs.CR])

The number of cyber attacks has increased tremendously in the last few years. This resulted into both human and financial losses at the individual and organization levels. Recently, cyber-criminals are leveraging new skills and capabilities by employing anti-forensics activities, techniques and tools to cover their tracks and evade any possible detection.


Is your dishwasher trying to kill you?

Does every device in your home really need to be connected to the internet? And could it be turned against you?


CISA Releases Supplemental Direction on Emergency Directive for Microsoft Exchange Server Vulnerabilities

CISA has issued supplemental direction to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities providing additional forensic triage and server hardening, requirements for federal agencies. Specifically, this update directs federal departments and agencies to run newly developed tools - Microsoft-s Test-ProxyLogon.ps1 script and Safety Scanner MSERT - to investigate whether their Microsoft Exchange [...]



ZDI-21-399: (0Day) D-Link DIR-882 HNAP Stack-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-882 routers. Authentication is not required to exploit this vulnerability.


Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021

On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.This advisory will be updated as additional information becomes available.


Cisco IOS XE Software Fast Reload Vulnerabilities

Version: 1.1 Description: Added Catalyst 3650 switches as affected products.


SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service

Trend Micro has released new patches for Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS). These patches resolve multiple vulnerabilities related to improper access control and incorrect permission assignment privilege escalation as well as insecure file permissions.



VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)


VMSA-2021-0004.1 - VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)

2021-03-31: VMSA-2021-0004.1 - Updated advisory with information on vROps 7.0.0 workarounds.


Security updates for Thursday

Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin).


Rockwell Automation FactoryTalk AssetCentre

This advisory contains mitigations for OS Command Injection, Deserialization of Untrusted Data, SQL Injection, and Improperly Restricted Functions vulnerabilities in Rockwell Automation FactoryTalk AssetCentre automation software products.


Security Advisory - Out of Bounds Write Vulnerability in Huawei Smartphone


Security Advisory - Arbitrary Memory Write Vulnerability in Huawei Smart Phone


March 31, 2021 TNS-2021-06 [R1] Tenable.sc 5.18.0 Fixes One Third-party Vulnerability


Atlassian Jira Software: Mehrere Schwachstellen