End-of-Day report
Timeframe: Dienstag 15-06-2021 18:00 - Mittwoch 16-06-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Avaddon ransomwares exit sheds light on victim landscape
A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation.
https://www.bleepingcomputer.com/news/security/avaddon-ransomwares-exit-sheds-light-on-victim-landscape/
Protecting Against Ransomware - From the Human Perspective
SANS blog post on what ransomware is, how it works, and most importantly, how to empower your workforce to protect against it.
https://www.sans.org/blog/protecting-against-ransomware-from-the-human-perspective
Nokia Deepfield global analysis shows most DDoS attacks originate from fewer than 50 hosting companies
In-depth analysis across large sample of networks globally fingerprints and traces origins of most DDoS attacks (by frequency and traffic volume)[...]
https://www.nokia.com/about-us/news/releases/2021/06/14/nokia-deepfield-global-analysis-shows-most-ddos-attacks-originate-from-fewer-than-50-hosting-companies/
The First Step: Initial Access Leads to Ransomware
Ransomware attacks still use email -- but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains.
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
Achtung: Amazon-Bestellungen nicht außerhalb der Plattform abwickeln!
Über Amazon zu bestellen ist für viele ein einfacher Weg, um verschiedenste Produkte an einem Ort zu kaufen. Doch auch auf Amazon stößt man auf betrügerische Angebote! Wenn Amazon-HändlerInnen die Bestellung über E-Mail abwickeln wollen, sollten Sie vorsichtig sein.
https://www.watchlist-internet.at/news/achtung-amazon-bestellungen-nicht-ausserhalb-der-plattform-abwickeln/
On the Security of RFID-based TOTP Hardware Tokens
Matthias Deeg und Gerhard Klostermeier untersuchten zwei unterschiedliche RFID-basierte TOTP Hardware-Token, das OTCP-P2 und das Protectimus SLIM NFC.
https://www.syss.de/pentest-blog/on-the-security-of-rfid-based-totp-hardware-tokens
Ukrainian police arrest Clop ransomware members, seize server infrastructure
Multiple suspects believed to be linked to the Clop ransomware cartel have been detained in Ukraine this week after a joint operation from law enforcement agencies from Ukraine, South Korea, and the US.
https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/
Vulnerabilities
Qnap: Updates für NAS beseitigen aus der Ferne ausnutzbare Schwachstelle
Betriebssystem-Updates für Qnaps Netzwerkspeicher (NAS) schließen zwei mit "Medium" bewertete Schwachstellen, von denen eine übers Internet attackierbar ist.
https://heise.de/-6072554
Security updates for Wednesday
Security updates have been issued by Debian (prosody, python-urllib3, and xen), Fedora (dino, dotnet3.1, dotnet5.0, and vmaf), Oracle (gupnp, kernel, and kernel-container), Red Hat (gupnp), Scientific Linux (kernel), SUSE (java-1_8_0-openjdk, kernel, snakeyaml, and xorg-x11-libX11), and Ubuntu (bluez).
https://lwn.net/Articles/860004/
ZDI-21-502: An Information Disclosure Bug in ISC BIND server
You should verify you have a patched version of BIND as many OS distributions provide BIND packages that differ from the official ISC release versions.
https://www.thezdi.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-bug-in-isc-bind-server
Security Advisory - Out-Of-Bounds Read Vulnerability On Several Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210616-01-cgp-en
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-websphere-application-server-2/
Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20492)
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-cloud-is-vulnerable-to-an-xml-external-entity-injection-xxe-attack-cve-2021-20492/
Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546)
https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overflow-vulnerabilities-in-ibm-spectrum-protect-back-up-archive-client-and-ibm-spectrum-protect-for-space-management-cve-2021-29672-cve-2021-20546-2/
Security Bulletin: Vulnerability in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.8, V5.1.0.9 and V6.0.0.0
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-affecting-ibm-application-discovery-and-delivery-intelligence-v5-1-0-8-v5-1-0-9-and-v6-0-0-0/
Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2020-27221, CVE-2020-14782)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-spectrum-protect-snapshot-for-vmware-cve-2020-27221-cve-2020-14782/
Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Java SE (CVE-2020-14781)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-java-se-cve-2020-14781/
Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specifically crafted select statement. (CVE-2021-29702)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-as-the-server-terminates-abnormally-when-executing-a-specifically-crafted-select-statement-cve-2021-29702/
Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-password-synchronization-plug-in-for-windows-ad-affected-by-multiple-vulnerabilities-cve-2021-20483-cve-2021-20488/
Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2020-1968)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected-by-an-openssl-vulnerability-cve-2020-1968/
Security Bulletin: Resilient App Host secrets are not encrypted (CVE-2021-20567)
https://www.ibm.com/blogs/psirt/security-bulletin-resilient-app-host-secrets-are-not-encrypted-cve-2021-20567/
Cross-Site Request Forgery Patched in WP Fluent Forms
https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms/
Synology-SA-21:21 Audio Station
https://www.synology.com/en-global/support/security/Synology_SA_21_21
Trend Micro InterScan Web Security Virtual Appliance: Schwachstelle ermöglicht Cross-Site Scripting
http://www.cert-bund.de/advisoryshort/CB-K21-0660
ThroughTek P2P SDK
https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01
Automation Direct CLICK PLC CPU Modules
https://us-cert.cisa.gov/ics/advisories/icsa-21-166-02
SYSS-2021-022, SYSS-2021-023, SYSS-2021-025, SYSS-2021-026: Mehrere Schwachstellen in HR-Software LOGA3
https://www.syss.de/pentest-blog/syss-2021-022-syss-2021-023-syss-2021-025-syss-2021-026-mehrere-schwachstellen-in-hr-software-loga3
SYSS-2021-007: Protectimus SLIM NFC - External Control of System or Configuration Setting (CWE-15) (CVE-2021-32033)
https://www.syss.de/pentest-blog/syss-2021-007-protectimus-slim-nfc-external-control-of-system-or-configuration-setting-cwe-15-cve-2021-32033