End-of-Day report
Timeframe: Montag 03-05-2021 18:00 - Dienstag 04-05-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Webkit: Apple warnt vor Zero Days in iOS und MacOS
Die Apple-Lücken in Webkit werden wohl bereits aktiv ausgenutzt. Das Unternehmen stellt Updates bereit.
https://www.golem.de/news/webkit-apple-warnt-vor-zero-days-in-ios-2105-156227-rss.html
21Nails vulnerabilities impact 60% of the internet-s email servers
The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors.
https://therecord.media/21nails-vulnerabilities-impact-60-of-the-internets-email-servers/
Pingback: Backdoor At The End Of The ICMP Tunnel
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/
RM3 - Curiosities of the wildest banking malware
TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We-ll start with an overview of its origins and current operations before providing a deep dive technical analysis [...]
https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/
Firebase Domain Front - Hiding C2 as App traffic
We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters
https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding-c2-as-app-traffic
Jetzt patchen! Sicherheitsupdate für Pulse Connect Secure verfügbar
In einer aktualisierten Version der VPN-Software Pulse Connect Secure von Ivanti haben die Entwickler kritische Lücken geschlossen.
https://heise.de/-6035501
ATT&CK v9 Introduces Containers, Google Workspace
MITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform.
https://www.securityweek.com/attck-v9-introduces-containers-google-workspace
Anzügliche Sex-Nachrichten auf Facebook & Instagram: Dahinter steckt Betrug
Facebook- und Instagram-NutzerInnen kennen es: Freundschaftsanfragen oder Nachrichten von unbekannten, meist freizügig gekleideten Frauen. Auf Instagram werden NutzerInnen auch sehr häufig zu fragwürdigen Gruppen hinzugefügt oder von Unbekannten auf Bildern markiert. Dahinter stecken Fake-Profile oder Bots, die auf unseriöse Dating-Portale locken, Daten sammeln oder nach Zugangsdaten fischen.
https://www.watchlist-internet.at/news/anzuegliche-sex-nachrichten-auf-facebook-instagram-dahinter-steckt-betrug/
Three new malware families found in global finance phishing campaign
Doubledrag, Doubledrop, and Doubleback are the work of -experienced- threat actors.
https://www.zdnet.com/article/researchers-find-three-new-malware-families-used-in-global-finance-phishing-campaign/
Vulnerabilities
Aktiv ausgenutzte Lücken: Apple patcht iOS, macOS und watchOS
macOS 11.3.1, iOS 14.5.1 und watchOS 7.4.1 beheben ein akutes Sicherheitsproblem in Safari. Außerdem wird ein Bug beim iPhone-App-Tracking-Schutz gefixt.
https://heise.de/-6035220
Android-Patchday: Kritische System-Lücke gibt Angreifern die volle Kontrolle
Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen.
https://heise.de/-6035560
Xen Security Advisory CVE-2021-28689 / XSA-370 - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests
A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack against Xen, despite the presence hardware protections being active. It therefore might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
https://xenbits.xen.org/xsa/advisory-370.html
Security updates for Tuesday
Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba).
https://lwn.net/Articles/855308/
High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices
Owners of Dell devices were informed on Tuesday that a firmware update driver present on a large number of systems is affected by a series of high-severity vulnerabilities.
https://www.securityweek.com/high-severity-dell-driver-vulnerabilities-impact-hundreds-millions-devices
Synology-SA-21:18 Hyper Backup
A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Hyper Backup.
https://www.synology.com/en-global/support/security/Synology_SA_21_18
Security Bulletin: Go is vulnerable to a denial of service on IBM Watson Machine Learning on CP4D
https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-a-denial-of-service-on-ibm-watson-machine-learning-on-cp4d/
Security Bulletin: Tensor Flow security vulnerabilities with segmentation fault on IBM Watson Machine Learning on CP4D
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-with-segmentation-fault-on-ibm-watson-machine-learning-on-cp4d/
Security Bulletin: GO is vulnerable to allows attacks on clients on IBM Watson Machine Learning on CP4D
https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-allows-attacks-on-clients-on-ibm-watson-machine-learning-on-cp4d/
Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-aix-cve-2021-23839-cve-2021-23840-and-cve-2021-23841-2/
Security Bulletin: A vulnerability exists in the management GUI of the IBM FlashSystem 900
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-the-management-gui-of-the-ibm-flashsystem-900/
Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning on CP4D
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-with-denial-of-service-on-ibm-watson-machine-learning-on-cp4d/
Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning Server
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-with-denial-of-service-on-ibm-watson-machine-learning-server/
Security Bulletin: TensorFlow is vulnerable to a heap-based buffer overflow on IBM Watson Machine Learning on CP4D
https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-is-vulnerable-to-a-heap-based-buffer-overflow-on-ibm-watson-machine-learning-on-cp4d/
Security Bulletin: GO security vulnerabilities on IBM Watson Machine Learning Server
https://www.ibm.com/blogs/psirt/security-bulletin-go-security-vulnerabilities-on-ibm-watson-machine-learning-server/
Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3049, CVE-2021-3050)
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-affect-ibm-sterling-connectexpress-for-unix-cve-2021-3049-cve-2021-3050/
Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454).
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-cve-2021-20454-2/