Tageszusammenfassung - 25.05.2021

End-of-Day report

Timeframe: Freitag 21-05-2021 18:00 - Dienstag 25-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter

News

Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung

Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...]

https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-zum-lieferstatus-einer-bestellung/

Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht

Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar.

https://heise.de/-6052749

Qnap sichert NAS spät gegen Qlocker-Attacken ab

Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches.

https://heise.de/-6052783

Evolution of JSWorm ransomware

There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm.

https://securelist.com/evolution-of-jsworm-ransomware/102428/

"Serverless" Phishing Campaign, (Sat, May 22nd)

The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code.

https://isc.sans.edu/diary/rss/27446

Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd)

Brad posted another malware analysis with capture file of Cobalt Strike traffic.

https://isc.sans.edu/diary/rss/27448

Web Applications and Internal Penetration Tests

Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...]

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applications-and-internal-penetration-tests/

Apple- Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS

Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS

https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html

OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant

Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye-s threat intelligence and incident response unit.

https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticated-hackers-mandiant

DarkChronicles: the consequences of the Colonial Pipeline attack

This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident.

https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/

Vulnerabilities

VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure

Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing.

https://kb.cert.org/vuls/id/799380

VU#667933: Pulse Connect Secure Samba buffer overflow

Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.

https://kb.cert.org/vuls/id/667933

Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert

Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen.

https://heise.de/-6053146

Security updates for Monday

Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat).

https://lwn.net/Articles/857132/

Security updates for Tuesday

Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby).

https://lwn.net/Articles/857212/

[20210503] - Core - CSRF in data download endpoints

https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html

[20210502] - Core - CSRF in AJAX reordering endpoint

https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html

[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload

https://developer.joomla.org:443/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html