Tageszusammenfassung - 14.05.2021

End-of-Day report

Timeframe: Mittwoch 12-05-2021 18:00 - Freitag 14-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Jetzt patchen! Kritische Lücke bedroht WordPress 3.7 bis 5.7

Viele WordPress-Websites sind verwundbar. Sicherheitsupdates sind verfügbar.

https://heise.de/-6045823


DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained funds from an account the group uses to pay affiliates.

https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/


Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity

This skimmer is using a hybrid approach to bypass detection and target vulnerable e-commerce websites.

https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/


-Hier ist die letzte Warnung!-: Erpresser fordern Bitcoins

Kriminelle versenden derzeit massenweise Erpressungsmails. Darin wird behauptet, dass das System der EmpfängerInnen gehackt wurde. Außerdem gäbe es ein Video, in dem ersichtlich wird, dass die betroffene Person einen Pornofilm sähe und dabei masturbiert. Die Kriminellen drohen, dieses Video zu veröffentlichen - außer man bezahlt 1.200$. Gehen Sie auf die Forderungen nicht ein, denn: Die Mails werden willkürlich an zahlreiche Menschen versendet.

https://www.watchlist-internet.at/news/hier-ist-die-letzte-warnung-erpresser-fordern-bitcoins/


CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise

CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments. Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that [...]

https://us-cert.cisa.gov/ncas/current-activity/2021/05/14/cisa-publishes-eviction-guidance-networks-affected-solarwinds-and


Microsoft: Windows 10 1809 and 1909 have reached end of service

Multiple editions of Windows 10 versions 1803, 1809, and 1909 have reached their End of Service (EOS) on this months Patch Tuesday, as Microsoft reminded customers yesterday.

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-1809-and-1909-have-reached-end-of-service/


Meet Lorenz - A new ransomware gang targeting the enterprise

A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.

https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/


Attackers abuse Microsoft dev tool to deploy Windows malware

Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign.

https://www.bleepingcomputer.com/news/security/attackers-abuse-microsoft-dev-tool-to-deploy-windows-malware/


QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day

QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage (NAS) devices, just two weeks after alerting them of an ongoing AgeLocker ransomware outbreak.

https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/


Fresh Loader Targets Aviation Victims with Spy RATs

The campaign is harvesting screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and more, with RevengeRAT or AsyncRAT payloads.

https://threatpost.com/loader-aviation-spy-rats/166133/


"Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th)

Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as said Jan, there is another issue with such infrastructures: remote access tools.

https://isc.sans.edu/diary/rss/27418


Server Side Scans and File Integrity Monitoring

When it comes to the ABCs of website security server side scans and file integrity monitoring are the -A- and -B-. In fact, our server side scanner is one of the most crucial tools in Sucuri-s arsenal. It-s paramount in maintaining an effective security product for our customers and analysts alike. This crucial tool handles tasks like issuing security warnings and alerts to our clients, notifying them that they have been compromised, and assisting our [...]

https://blog.sucuri.net/2021/05/server-side-scans-and-file-integrity-monitoring.html

Vulnerabilities

SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability

A vulnerability was discovered under Pulse Connect Secure (PCS). This includes buffer overflow vulnerability on the Pulse Connect Secure gateway that allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user.

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800


Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted [...]

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK


Cisco Hosted Collaboration Mediation Fulfillment Denial of Service Vulnerability

A vulnerability in the Java Management Extensions (JMX) component of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an unsecured TCP/IP port. An attacker could exploit this vulnerability by accessing the port and restarting the JMX process. A successful exploit could allow the attacker to cause a DoS condition on an affected system.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-dos-OO4SRYEf


Critical Vulnerability Patched in External Media Plugin

On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote [...]

https://www.wordfence.com/blog/2021/05/critical-vulnerability-patched-in-external-media-plugin/


Security updates for Thursday

Security updates have been issued by Debian (graphviz and redmine), Fedora (dom4j, kernel, kernel-headers, kernel-tools, mariadb, php, php-phpmailer6, and redis), openSUSE (kernel and nagios), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).

https://lwn.net/Articles/856177/


Security updates for Friday

Security updates have been issued by Debian (jetty9, libgetdata, and postgresql-11), openSUSE (java-11-openjdk), SUSE (dtc, ibsim, ibutils, ipvsadm, and kernel), and Ubuntu (awstats and glibc).

https://lwn.net/Articles/856265/


Rockwell Automation Connected Components Workbench

This advisory contains mitigations for Deserialization of Untrusted Data, Path Traversal, and Improper Input Validation vulnerabilities in Rockwell Automation Connected Components Workbench software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-133-01


Johnson Controls Sensormatic Tyco AI

This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics (a subsidiary of Johnson Controls) Tyco AI products.

https://us-cert.cisa.gov/ics/advisories/icsa-21-133-02


OPC Foundation UA Products Built with .NET Framework

This advisory contains mitigations for an Uncontrolled Recursion vulnerability in OPC Foundation servers.

https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03


OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5

This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Unified Automation .NET based OPC UA Client/Server SDK Bundle Framework versions.

https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04


mod_auth_openidc vulnerable to denial-of-service (DoS)

https://jvn.jp/en/jp/JVN49704918/


IBM Security Bulletins

https://www.ibm.com/blogs/psirt/


PostgreSQL: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K21-0521


Drupal: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K21-0528


ILIAS: Schwachstelle ermöglicht Codeausführung

https://www.cert-bund.de/advisoryshort/CB-K21-0526


git: Schwachstelle ermöglicht Codeausführung

https://www.cert-bund.de/advisoryshort/CB-K21-0524