End-of-Day report
Timeframe: Freitag 07-05-2021 18:00 - Montag 10-05-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th)
Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets.
https://isc.sans.edu/diary/rss/27404
Manipulierte Entwicklungsumgebung: Xcode-Malware war enorm verbreitet
Im Verfahren Epic gegen Apple kam heraus, dass 2015 fast 130 Millionen iPhone-Nutzer von "XcodeGhost" betroffen waren - in über 2500 Apps.
https://heise.de/-6041836
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns. Lemon Duck remains relevant as the operators begin to target [...]
https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
Banking-Trojaner Ousaban analysiert
In unserer Serie zu lateinamerikanischen Banking-Trojanern betrachten wir einen Vertreter mit komplexen Vertriebsweg
https://www.welivesecurity.com/deutsch/2021/05/07/banking-trojaner-ousaban-analysiert/
Colonial Pipeline Falls Victim to Attack
Summary
A top U.S. fuel pipeline company has suffered a cyber attack that has forced them to halt operations. Several news sources and the company itself have confirmed the attack.
Threat Type
Cyber Attack
Overview
** Update May 10 - 8:50 AM**
The most recent reporting indicates that the attack likely involved DarkSide, a ransomware-as-a-service (RaaS) affiliate operation. DarkSide posted the following statement to their leak site following the attack: We are apolitical, we do not participate in [...]
https://exchange.xforce.ibmcloud.com/collection/cc757925ae0fdf1689518a35128215f4
SolarWinds says fewer than 100 customers were impacted by supply chain attack
Texas-based software firm SolarWinds downgraded the number of customers impacted by its 2020 supply chain attack from 18,000 to less than 100.
https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack/
Vulnerabilities
Foxit Reader bug lets attackers run malicious code via PDFs
Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader.
https://www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attackers-run-malicious-code-via-pdfs/
Security updates for Monday
Security updates have been issued by Debian (libxml2), Fedora (autotrace, babel, kernel, libopenmpt, libxml2, mingw-exiv2, mingw-OpenEXR, mingw-openexr, python-markdown2, and samba), openSUSE (alpine, avahi, libxml2, p7zip, redis, syncthing, and vlc), and Ubuntu (webkit2gtk).
https://lwn.net/Articles/855909/
Linux kernel vulnerability CVE-2020-1749
https://support.f5.com/csp/article/K02186513
Security Bulletin: IBM CloudPak foundational services (Events Operator) is affected by potential data integrity issue (CVE-2020-25649)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloudpak-foundational-services-events-operator-is-affected-by-potential-data-integrity-issue-cve-2020-25649/
Security Bulletin: IBM Kenexa LCMS Premier On Premise - CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-on-premise-cve-2020-14782-deferred-from-oracle-oct-2020-cpu-for-java-8/
Security Bulletin: IBM Cloud Pak for Security is vulnerable to CVE-2021-20538 and CVE-2021-20577
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-security-is-vulnerable-to-cve-2021-20538-and-cve-2021-20577/
Security Bulletin: A security vulnerability in Node.js urijs module affects IBM Cloud Pak for Multicloud Management Infrastructure management.
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-urijs-module-affects-ibm-cloud-pak-for-multicloud-management-infrastructure-management/
Security Bulletin: IBM Kenexa LMS On Premise - CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise-cve-2020-14782-deferred-from-oracle-oct-2020-cpu-for-java-8/
Security Bulletin: IBM Kenexa LMS On Premise -CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise-cve-2020-14781-deferred-from-oracle-oct-2020-cpu-for-java-8/
Security Bulletin: IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability (CVE-2021-20559)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-control-desk-is-vulnerable-to-cross-site-scripting-vulnerability-cve-2021-20559/
Security Bulletin: IBM Kenexa LCMS Premier On Premise - CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-on-premise-cve-2020-14781-deferred-from-oracle-oct-2020-cpu-for-java-8/
Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Codec
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-vulnerability-in-apache-commons-codec/
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-multiple-vulnerabilities-in-xstream/
Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-commons-and-log4j-affect-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-3/