Tageszusammenfassung - 22.04.2021

End-of-Day report

Timeframe: Mittwoch 21-04-2021 18:00 - Donnerstag 22-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter

News

Macher des Signal-Messenger hacken Spionage-Software von Cellebrite

Die Signal-Entwickler zeigen per Video, wie ein präpariertes iPhone die von Ermittlungsbehörden verwendete Software von Cellebrite aushebelt.

https://heise.de/-6024421

Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices

A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.

https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/

Attackers can hide external sender email warnings with HTML and CSS

The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code.

https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-sender-email-warnings-with-html-and-css/

Telegram Platform Abused in -ToxicEye- Malware Campaigns

Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims- machines, new research has found.

https://threatpost.com/telegram-toxiceye-malware/165543/

Announcing the New Reports API

We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret.

https://www.shadowserver.org/news/announcing-the-new-reports-api/

All Your Databases Belong To Me! A Blind SQLi Case Study

The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study/

Researchers Find Additional Infrastructure Used By SolarWinds Hackers

The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, [...]

https://thehackernews.com/2021/04/researchers-find-additional.html

[SANS ISC] How Safe Are Your Docker Images?

I published the following diary on isc.sans.edu: -How Safe Are Your Docker Images?-: Today, I don-t know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier-s tools. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov). Let-s mix the attraction for container technologies and this threat, we realize that Docker images are a great way to compromise an organization!

https://blog.rootshell.be/2021/04/22/sans-isc-how-safe-are-your-docker-images/

PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately

Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by -Robin Goodfellow.- The exploited flaw makes it possible [...]

https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/

Now this botnet is hunting for unpatched Microsoft Exchange servers

Prometei botnets key goal is cryptojacking - but its powerful capabilities could see it deployed for much more dangerous attacks.

https://www.zdnet.com/article/now-this-botnet-is-hunting-for-unpatched-microsoft-exchange-servers/

CISA Incident Response to SUPERNOVA Malware

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization-s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information.

https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-response-supernova-malware

AirDrop bugs expose Apple users' email addresses, phone numbers

A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apples AirDrop file transfer feature.

https://therecord.media/airdrop-bugs-expose-apple-users-email-addresses-phone-numbers/

Vulnerabilities

Cisco Security Advisories zu Cisco SD-WAN vManage Software

Cisco hat 5 Security Advisories zu Cisco SD-WAN vManage Software veröffentlicht, die alle als "Medium" klassifiziert werden.

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F04%2F21&firstPublishedEndDate=2021%2F04%2F21

Sicherheitsupdates: Statische Zugangsdaten gefährden Qnap NAS

Eine kritische Lücke in HBS 3 Hybrid Backup Sync bringt Netzwerkspeicher (NAS) von Qnap in Gefahr.

https://heise.de/-6025271

Security updates for Thursday

Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon).

https://lwn.net/Articles/853953/

Google rushes out fix for zero-day vulnerability in Chrome

The update patches a total of seven security flaws in the desktop versions of the popular web browser

https://www.welivesecurity.com/2021/04/21/google-fix-zero-day-vulnerability-chrome/

Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-affects-websphere-application-server-cve-2020-5258-2/

Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-affects-ibm-cloud-application-business-insights-3/

Security Bulletin: Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server

https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-on-ibm-watson-machine-learning-server/

Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow - CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-with-ibm-content-navigator-component-in-ibm-business-automation-workflow-cve-2020-4757-psirt-adv0028011-cve-2020-4934/

Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Performance Server

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-performance-server/