End-of-Day report
Timeframe: Freitag 14-05-2021 18:00 - Montag 17-05-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Exploit released for wormable Windows HTTP vulnerability
Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions.
https://www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/
Bizarro banking Trojan expands its attacks to Europe
Bizarro is yet another banking Trojan family originating from Brazil that steals credentials from customers of 70 banks from different European and South American countries.
https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/
Ransomware Defenses, (Mon, May 17th)
Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to [...]
https://isc.sans.edu/diary/rss/27420
AHK RAT Loader Used in Unique Delivery Campaigns
The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language - a fork of the AutoIt language that is frequently used for testing purposes.
https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns
Take action now - FluBot malware may be on its way
Why FluBot is a major threat for Android users, how to avoid falling victim, and how to get rid of the malware if your device has already been compromised
https://www.welivesecurity.com/2021/05/17/take-action-now-flubot-malware-may-be-on-its-way/
Two attacks disclosed against AMD-s SEV virtual machine protection system
Chipmaker AMD has issued guidance this week for two attacks against its SEV (Secure Encrypted Virtualization) technology that protects virtual machines from rogue operating systems. The two attacks, documented in two academic papers, can allow a threat actor to inject malicious code inside SEV-encrypted virtual machines, giving them full control over the VMs operating system.
https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/
Vulnerabilities
Beckhoff Security Advisory 2021-002: Stack Overflow and XXE vulnerability in various OPC UA products
The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via the OPC UA protocol.
https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2021-002.pdf
SSA-695540: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2
Siemens has released version V13.1.0.2 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in ASM and PAR file formats.
https://cert-portal.siemens.com/productcert/txt/ssa-695540.txt
Security updates for Monday
Security updates have been issued by Debian (libimage-exiftool-perl and postgresql-9.6), Fedora (chromium, exiv2, firefox, kernel, kernel-headers, kernel-tools, mariadb, and python-impacket), Mageia (avahi), openSUSE (chromium, drbd-utils, dtc, ipvsadm, jhead, nagios, netdata, openvpn, opera, prosody, and virtualbox), Slackware (libxml2), SUSE (kernel and lz4), and Ubuntu (intel-microcode, python-eventlet, and rust-pleaser).
https://lwn.net/Articles/856437/
Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vulnerabilities-affect-ibm-control-center/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-xstream-2/
Security Bulletin: Guava Google Core Libraries Vulnerability Affects IBM Control Center (CVE-2020-8908)
https://www.ibm.com/blogs/psirt/security-bulletin-guava-google-core-libraries-vulnerability-affects-ibm-control-center-cve-2020-8908/
Security Bulletin: IBM InfoSphere DataStage is affected by an Information disclosure vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-is-affected-by-an-information-disclosure-vulnerability/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-dataformat
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-dataformat/
Security Bulletin: Apache Ant Vulnerabilities Affect IBM Control Center (CVE-2020-1945, CVE-2020-11979)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-ant-vulnerabilities-affect-ibm-control-center-cve-2020-1945-cve-2020-11979/
Security Bulletin: Multiple CKEditor Vulnerabilities Affect IBM Control Center
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ckeditor-vulnerabilities-affect-ibm-control-center/
Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2020-15801)
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-python-cve-2020-15801/
Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-openssl/
Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335)
https://www.ibm.com/blogs/psirt/security-bulletin-h2-database-vulnerabilities-affect-ibm-control-center-cve-2018-10054-cve-2018-14335/