End-of-Day report
Timeframe: Dienstag 18-05-2021 18:00 - Mittwoch 19-05-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
MountLocker ransomware uses Windows API to worm through networks
The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks.
https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks/
Transparent Tribe APT Infrastructure Mapping
Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets.
https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/
May 2021 Forensic Contest: Answers and Analysis, (Wed, May 19th)
You can still find the pcap for our May 2021 forensic contest at this Github repository.
https://isc.sans.edu/diary/rss/27430
When Intrusions Don-t Align: A New Water Watering Hole and Oldsmar
The purpose behind this investigative anecdote on the -water watering hole- is educational and highlights how sometimes two intrusions just don-t line up together no matter how much coincidence there is.
https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/
Instagram-NutzerInnen aufgepasst: Unseriöse Shops locken mit angeblicher Kooperation!
Auf Instagram tauchen immer wieder unseriöse Online-Shops auf. Die BetreiberInnen dieser Shops wenden unterschiedliche Maschen an, um ihre Produkte zu bewerben.
https://www.watchlist-internet.at/news/instagram-nutzerinnen-aufgepasst-unserioese-shops-locken-mit-angeblicher-kooperation/
Crypto-mining gangs are running amok on free cloud computing platforms
Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms.
https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-computing-platforms/
Vulnerabilities
Pega Infinity patches authentication vulnerability
Pega Infinity is a popular enterprise software and researchers found a flaw in the authentication process by using a password reset weakness.
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/pega-infinity-patches-authentication-vulnerability/
Over 600,000 Sites Impacted by WP Statistics Patch
On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites.
https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
Security updates for Wednesday
Security updates have been issued by Fedora (cacti, cacti-spine, exif, and hivex), Red Hat (bash, bind, bluez, brotli, container-tools:rhel8, cpio, curl, dotnet3.1, dotnet5.0, dovecot, evolution, exiv2, freerdp, ghostscript, glibc, GNOME, go-toolset:rhel8, grafana, gssdp and gupnp, httpd:2.4, idm:DL1, idm:DL1 and idm:client, ipa, kernel, kernel-rt, krb5, libdb, libvncserver, libxml2, linux-firmware, mailman:2.1, mingw packages, NetworkManager and libnma, opensc, p11-kit, pandoc, perl, [...]
https://lwn.net/Articles/856649/
Researchers Find Exploitable Bugs in Mercedes-Benz Cars
Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.
https://www.securityweek.com/researchers-find-exploitable-bugs-mercedes-benz-cars
Security Advisory - Denial of Service Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-02-dos-en
Security Advisory - Resource Management Error Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-01-resource-en
Security Advisory - Denial of Service Vulnerability in Huawei Smartphone
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-04-dos-en
Security Advisory - Out of Bounds Write Vulnerability in Huawei CloudEngine Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-01-cloudengine-en
Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console
https://www.ibm.com/blogs/psirt/security-bulletin-client-side-http-parameter-pollution-in-was-intelligent-management-admin-console/
Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affect IBM Sterling B2B Integrator
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-jackson-databind-affect-ibm-sterling-b2b-integrator-3/
Security Bulletin: Access Control Security Vulnerability Exists in Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2020-4646)
https://www.ibm.com/blogs/psirt/security-bulletin-access-control-security-vulnerability-exists-in-dashboard-user-interface-of-ibm-sterling-b2b-integrator-cve-2020-4646/
Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Java SE (CVE-2020-14782)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-java-se-cve-2020-14782/
Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-affects-ibm-cloud-pak-for-multicloud-management-monitoring-3/
Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-7-0-8-0-8-5-9-0-and-liberty-could-allow-a-remote-attacker-to-obtain-sensitive-information-when-a-stack-trace-is-returned-in-the-browser/
Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Affect IBM Sterling B2B Integrator
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-ibm-websphere-application-server-affect-ibm-sterling-b2b-integrator-2/
Security Bulletin: Vulnerablities in IBM SDK, Java Technology Edition Quarterly.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablities-in-ibm-sdk-java-technology-edition-quarterly/
Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-affects-ibm-cloud-pak-for-multicloud-management-monitoring-2/
Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems.
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-affects-ibm-developer-for-z-systems/
Gdk-pixbuf vulnerability CVE-2017-2862
https://support.f5.com/csp/article/K36984830
Linux kernel vulnerability CVE-2019-20811
https://support.f5.com/csp/article/K52525232
BIND vulnerability CVE-2021-25215
https://support.f5.com/csp/article/K96223611
BIND vulnerability CVE-2021-25214
https://support.f5.com/csp/article/K11426315
BOSCH-SA-350374: Vulnerability in the routing protocol of the PLC runtime
https://psirt.bosch.com/security-advisories/bosch-sa-350374.html