End-of-Day report
Timeframe: Donnerstag 10-06-2021 18:00 - Freitag 11-06-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th)
With Python getting more and more popular, especially on Microsoft Operating systems, it's common to find malicious Python scripts today.
https://isc.sans.edu/diary/rss/27514
SQL Injection: Gezielte Maßnahmen statt Block Lists
Bei Schwachstellen im Web nimmt SQL Injection nach wie vor eine führende Rolle ein, dabei ist die Abwehr gar nicht schwer.
https://heise.de/-6067640
Why hackers don-t fly coach
Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain (AISD).
https://www.pentestpartners.com/security-blog/why-hackers-dont-fly-coach/
Unbefugter Zugriff auf Ihr PayPal-Konto? Ignorieren Sie diese E-Mail!
Aktuell versenden Kriminelle eine Phishing-Mail im Namen von PayPal. Angeblich gäbe es ungewöhnliche Aktivitäten auf Ihrem PayPal-Konto. Daher müssten Sie sich einloggen und Ihre Identität bestätigen. Gehen Sie nicht auf die Forderungen ein. Kriminelle versuchen Zugang zu Ihrem PayPal-Konto zu bekommen.
https://www.watchlist-internet.at/news/unbefugter-zugriff-auf-ihr-paypal-konto-ignorieren-sie-diese-e-mail/
Proxy Windows Tooling via SOCKS
Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion.
https://posts.specterops.io/proxy-windows-tooling-via-socks-c1af66daeef3
BackdoorDiplomacy: Upgrading from Quarian to Turian
ESET researchers discover a new campaign that evolved from the Quarian backdoor.
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
Breaking SSL Locks: App Developers Behaving Badly
Symantec analyzed five years- worth of Android and iOS apps to see how many are sending data securely.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mobile-apps-ssl-locks
Authorities seize SlilPP, a marketplace for stolen login credentials
The US Department of Justice announced today it seized the servers and domains of SlilPP, a well-known online marketplace where criminal groups assembled to trade stolen login credentials.
https://therecord.media/authorities-seize-slilpp-a-marketplace-for-stolen-login-credentials/
Vulnerabilities
Hackers can exploit bugs in Samsung pre-installed apps to spy on users
Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system.
https://www.bleepingcomputer.com/news/security/hackers-can-exploit-bugs-in-samsung-pre-installed-apps-to-spy-on-users/
Qnap sichert Switches und Netzwerkspeicher vor unberechtigten Zugriffen ab
Es gibt wichtige Sicherheitsupdates für verschiedene Netzwerkgeräte von Qnap.
https://heise.de/-6068667
Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog)
On the GitHub blog, Kevin Backhouse writes about a privilege escalation vulnerability in polkit, which enables an unprivileged local user to get a root shell on the system. CVE-2021-3560 is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request.
https://lwn.net/Articles/859064/
Security updates for Friday
Security updates have been issued by Debian (libwebp), Fedora (firefox, lasso, mod_auth_openidc, nginx, redis, and squid), Oracle (.NET 5.0, container-tools:2.0, dhcp, gupnp, hivex, kernel, krb5, libwebp, nginx:1.16, postgresql:10, and postgresql:9.6), SUSE (containerd, docker, runc, csync2, and salt), and Ubuntu (libimage-exiftool-perl, libwebp, and rpcbind).
https://lwn.net/Articles/859192/
WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN70566757/
Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th)
https://isc.sans.edu/diary/rss/27518
ZDI-21-682: (0Day) D-Link DAP-1330 HNAP Cookie Header Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-682/
ZDI-21-681: (0Day) D-Link DAP-1330 lighttpd http_parse_request Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-681/
ZDI-21-680: (0Day) D-Link DAP-1330 lighttpd get_soap_action Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-680/
ZDI-21-679: (0Day) D-Link DAP-1330 HNAP checkValidRequest Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-679/
Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29754)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-privilege-escalation-vulnerability-cve-2021-29754/
Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects TPF Toolkit
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affects-tpf-toolkit/
Security Bulletin: IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to cacheable SSL Pages (CVE-2021-20396)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analyst-workflow-app-for-ibm-qradar-siem-is-vulnerable-to-cacheable-ssl-pages-cve-2021-20396/
Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
http://www.cert-bund.de/advisoryshort/CB-K21-0652