Tageszusammenfassung - 28.04.2021

End-of-Day report

Timeframe: Dienstag 27-04-2021 18:00 - Mittwoch 28-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

Security: Juristische Konsequenzen durch den Cellebrite-Hack

Urteile, in denen die Forensiksoftware zur Beweissicherung verwendet wurde, werden nach Aufdeckung der schweren Sicherheitslücken in Frage gestellt.

https://www.golem.de/news/security-juristische-konsequenzen-durch-den-cellebrite-hack-2104-156087-rss.html

RotaJakiro: A long live secret backdoor with 0 VT detection

On March 25, 2021, 360 NETLABs BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL.

https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

Abusing Replication: Stealing AD FS Secrets Over the Network

Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives.

https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html

Emotet: Gut 4 Millionen kopierter Mail-Adressen bei Prüfdienst Have I Been Pwned

Um Betroffene besser informieren zu können, hat das FBI über vier Mio. E-Mail-Adressen, die der Ex-"König der Schadsoftware" Emotet abgriff, mit HIBP geteilt.

https://heise.de/-6030480

User Empowerment: Password Security

World Password Day (who knew that was a thing?) is upon us.

https://malicious.link/post/2021/user-empowerment-password-security/

Österreichische Gesundheitskasse warnt vor betrügerischen Anrufen

Versicherte der Österreichischen Gesundheitskasse (ÖGK) werden derzeit von BetrügerInnen angerufen. Die BetrügerInnen geben sich als MitarbeiterInnen der ÖGK aus und rufen von einer vermeintlich österreichischen Nummer an.

https://www.watchlist-internet.at/news/oesterreichische-gesundheitskasse-warnt-vor-betruegerischen-anrufen/

Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle

It has been suspected that exploit code used in the wave of attacks may have been sourced from the program.

https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing-scheme-following-exchange-server-debacle/

Two million database servers are currently exposed across cloud providers

Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs.

https://therecord.media/two-million-database-servers-are-currently-exposed-across-cloud-providers/

Ransomware gang targets Microsoft SharePoint servers

Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.

https://therecord.media/ransomware-gang-targets-microsoft-sharepoint-servers/

Vulnerabilities

Schadcode-Lücke in IBM Spectrum Protect gefährdet Server

Es gibt wichtige Sicherheitsupdates für IBMs Datenschutzlösung Spectrum Protect und Spectrum Protect Plus.

https://heise.de/-6030379

Security updates for Wednesday

Security updates have been issued by Debian (chromium and shibboleth-sp), Fedora (ceph and salt), Oracle (thunderbird), Red Hat (etcd), Scientific Linux (nss and openldap), SUSE (curl, gdm, and libnettle), and Ubuntu (openjdk-8, openjdk-lts and underscore).

https://lwn.net/Articles/854756/

Synology-SA-21:15 Antivirus Essential

A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential.

https://www.synology.com/en-global/support/security/Synology_SA_21_15

WordPress plugin "WP Fastest Cache" vulnerable to directory traversal

https://jvn.jp/en/jp/JVN35240327/

ZDI-21-485: (0Day) Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-485/

Security Advisory - Denial of Service Vulnerability in Some Huawei Products

http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-01-dos-en

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-16044) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2020-16044-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/

Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email

https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-affects-content-collector-for-email/

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23954-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/

Security Bulletin: Embedded WebSphere Application Server is vulnerable to a directory traversal vulnerability affects Content Collector for Email

https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-affects-content-collector-for-email/

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23987-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-26974) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2020-26974-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/

Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-installed-websphere-application-server/

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23978) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23978-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/

Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012

https://support.f5.com/csp/article/K04234247

TMM vulnerability CVE-2021-23011

https://support.f5.com/csp/article/K10751325

BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow

https://support.f5.com/csp/article/K91414704

Running a CTU Diagnostics Report may leave elevated command prompt after report generation

https://support.f5.com/csp/article/K03544414