Tageszusammenfassung - 14.06.2021

End-of-Day report

Timeframe: Freitag 11-06-2021 18:00 - Montag 14-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

DDoS Angriffe gegen Unternehmen in Österreich

Seit einigen Wochen versucht eine Gruppe, die sich "Fancy Lazarus" nennt, mittels DDoS-Angriffen und der Androhung von Folgeangriffen, Schutzgelder zu erpressen. Vergleichbare Angriffe gab es global auch schon ab August 2020 unter ähnlichen Namen. Nachdem wir Meldungen von Partner-CERTs an uns über Angriffe auf Ziele in anderen EU Staaten bekommen haben, sind jetzt auch in Österreich einige Fälle aufgetreten.

https://cert.at/de/warnungen/2021/6/ddos-angriffe-gegen-unternehmen-in-osterreich


Password Attacks 101

According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number hit 30%. Brute force attacks have a similar share, accounting for 18% of all breaches, and 34% of those for small businesses. Why are password attacks like brute forcing so effective? And how exactly do they work? Let-s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes.

https://blog.sucuri.net/2021/06/3-password-attacks-101.html


Macher der Ransomware Avaddon geben auf und veröffentlichen Schlüssel

Es ist ein kostenloses Entschlüsselungstool für Opfer des Erpressungstrojaners Avaddon erschienen.

https://heise.de/-6070028


Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly.

https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-jetpack-users-reusing-passwords/


Micropatch for Another Remote Code Execution Issue in Internet Explorer (CVE-2021-31959)

Windows Updates brought a fix for another "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero, very similar to this vulnerability discovered also discovered by Ivan and patched in May.Ivan published details and a proof-of-concept three days ago and we took these to reproduce the vulnerability in our lab and create a micropatch for it.

https://blog.0patch.com/2021/06/micropatch-for-another-remote-code.html


Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs

I recently came across an interesting bug in the Microsoft Power Apps service which, despite its simplicity, can be leveraged by an attacker to gain persistent read/write access to a victim user-s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows. The bug has since been fixed by Microsoft, but in this blog we-re going to see how it /could/ have been exploited.

https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-in-microsoft-teams-through-malicious-tabs-a7e5ff07b138

Vulnerabilities

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

We initially reached out to the plugin-s developer on May 21, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details on May 24, 2021. A patch was quickly released on May 28, 2021 in version 2.6.0. We highly recommend updating to the latest patched version available, 2.6.0, immediately.

https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-in-woocommerce-stock-manager-plugin/


Security updates for Monday

Security updates have been issued by Arch Linux (apache, gitlab, inetutils, isync, kube-apiserver, nettle, polkit, python-urllib3, python-websockets, thunderbird, and wireshark-cli), Debian (squid3), Fedora (glibc, libxml2, mingw-openjpeg2, and openjpeg2), Mageia (djvulibre, docker-containerd, exif, gnuchess, irssi, jasper, kernel, kernel-linus, microcode, python-lxml, python-pygments, rust, slurm, and wpa_supplicant, hostapd), openSUSE (389-ds and pam_radius), Oracle (.NET Core 3.1, container-tools:3.0, container-tools:ol8, krb5, microcode_ctl, postgresql:12, postgresql:13, and runc), Red Hat (dhcp, postgresql, postgresql:10, postgresql:12, postgresql:9.6, rh-postgresql10-postgresql, rh-postgresql12-postgresql, and rh-postgresql13-postgresql), Scientific Linux (dhcp and microcode_ctl), SUSE (ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone, crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store, freeradius-server, libjpeg-turbo, spice, and squid), and Ubuntu (rpcbind).

https://lwn.net/Articles/859669/


Security Bulletin: Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential caching vulnerability (CVE-2020-5003

https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-financial-transaction-manager-for-corporate-payment-services-is-affected-by-a-potential-caching-vulnerability-cve-2020-5003/


Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-23337)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-v11-are-affected-by-vulnerabilities-in-node-js-cve-2021-23337/


Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-activemq-affects-ibm-operations-analytics-predictive-insights-cve-2020-13947/


CISA Releases Advisory on ZOLL Defibrillator Dashboard

https://us-cert.cisa.gov/ncas/current-activity/2021/06/14/cisa-releases-advisory-zoll-defibrillator-dashboard