Tageszusammenfassung - 18.05.2021

End-of-Day report

Timeframe: Montag 17-05-2021 18:00 - Dienstag 18-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter


Sicherheitsupdate steht noch aus: Root-Lücke in Pulse Connect Secure

Angreifer könnten VPN Appliances vom Typ Pulse Connect Secure attackieren. Bislang ist nur eine Übergangslösung zu Absicherung verfügbar.


Unternehmen erhalten gefälschtes Schreiben vom "WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe"

Zahlreiche UnternehmerInnen erhalten momentan einen Brief vom -WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe- - angeblich eine Behörde zur Verwaltung von Firmendaten. Im Schreiben werden Sie aufgefordert, Ihre Daten zu überprüfen und ggf. zu korrigieren und zu ergänzen. Tun Sie das keinesfalls - es handelt sich um Betrug. Sie werden in eine Abo-Falle gelockt!


Ransomware victim shows why transparency in attacks matters

As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a companys response to an attack that should be used as a model for all future disclosures.


Codecov hackers gained access to Monday.com source code

Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies. As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.


DarkSide Hits Toshiba; XSS Forum Bans Ransomware

The criminal forum washed its hands of ransomware after DarkSides pipeline attack & alleged shutdown: A "loss of servers" that didnt stop another attack.


From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th)

I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: [...]


Exploitation of Sharepoint 2016: Simple Things Matter - Case Study

This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018). At that point, I started looking for publicly known exploits and research papers.


Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic

During a recent operation, the Red Team got local admin privileges on a workstation where an EDR solution was identified. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access.


Scammers Impersonating Windows Defender to Push Malicious Windows Apps

Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications [-]The post Scammers Impersonating Windows Defender to Push Malicious


CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Microsoft Internet Information Services (IIS) for Windows. The bug was originally discovered by the Microsoft Platform Security & Vulnerability Research team. The following is a portion of their write-up covering CVE-2021-31166, with a few minimal modifications.



ZDI-21-594: (0Day) Microsoft Windows JET Database Engine Memory Corruption Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.


About the security content of Boot Camp 6.1.14

Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved state management.


Security updates for Tuesday

Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre).


Emerson Rosemount X-STREAM

This advisory contains mitigations for Inadequate Encryption Strength, Unrestricted Upload of File with Dangerous Type, Path Traversal, Use of Persistent Cookies Containing Sensitive Information, Cross-site Scripting, and Improper Restriction of Rendered UI Layers or Frames vulnerabilities for the Rosemount X-STREAM Gas Analyzer.


D-LINK Router: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen


Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen


KLCERT-20-021: Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service


KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service


KLCERT-20-019: Moxa NPort IA5000A Series. Passwords stored in plaintext


KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control


Security Bulletin: A vulnerabilities in IBM Java affects IBM Developer for z Systems.


Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS


Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow - CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934


Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service


Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450)