Tageszusammenfassung - 17.06.2021

End-of-Day report

Timeframe: Mittwoch 16-06-2021 18:00 - Donnerstag 17-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

Criminals are mailing hacked Ledger devices to steal cryptocurrency

Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.

https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-hacked-ledger-devices-to-steal-cryptocurrency/


Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th)

The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.

https://isc.sans.edu/diary/rss/27536


Top 5 ICS Incident Response Tabletops and How to Run Them

In this blog SANS instructor, Dean Parsons, discusses the top five ICS incident response table tops and how to run them. How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against Ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure?

https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them?msc=rss


What you need to know about Process Ghosting, a new executable image tampering attack

This blog describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it-s difficult to scan or delete it - and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).

https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack


Google schickt Framework gegen Supply-Chain-Angriffe ins Rennen

SLSA soll die Integrität von Code vom Einchecken ins Repository über den Build-Prozess bis zum Verwenden von Paketen sicherstellen.

https://heise.de/-6073057


Cybercriminals go after Amazon Prime Day Shoppers

- In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious - Almost 1 out of 2 (46%) of new domains registered containing the word -Amazon- are malicious - Almost 1 out of 3 (32%) of new domains registered with the word -Amazon- are deemed suspicious

https://blog.checkpoint.com/2021/06/16/cybercriminals-go-after-amazon-prime-day-shoppers/

Vulnerabilities

Hitachi Application Server Help vulnerable cross-site scripting

The following products are affected by the vulnerability. * Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier * Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier Solution: Apply the appropriate latest version of the help according to the information provided by the developer.

https://jvn.jp/en/jp/JVN03776901/


Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didnt make it into Drupal Core 8.0.x and port them.The module doesnt sufficiently handle block access control on its EntityView plugin.

https://www.drupal.org/sa-contrib-2021-015


Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

This module provides a revision UI to Block Content entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

https://www.drupal.org/sa-contrib-2021-017


Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

This module provides a revision UI to Linky entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

https://www.drupal.org/sa-contrib-2021-016


Cisco Security Advisories

Cisco hat Security Advisories zu acht Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, vier als "High".

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F06%2F16&firstPublishedEndDate=2021%2F06%2F16


Security updates for Thursday

Security updates have been issued by CentOS (gnupnp and postgresql), Fedora (dino, microcode_ctl, and xen), Mageia (apache, gsoap, libgd, openssh, perl-Image-ExifTool, python-bleach, and qt4 and qtsvg5), openSUSE (chromium, containerd, docker, runc, djvulibre, htmldoc, kernel, libjpeg-turbo, libopenmpt, libxml2, spice, squid, and ucode-intel), Red Hat (dhcp and glib2), SUSE (apache2, inn, java-1_8_0-openjdk, and webkit2gtk3), and Ubuntu (nettle).

https://lwn.net/Articles/860128/


D-LINK Router: Mehrere Schwachstellen

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen.

http://www.cert-bund.de/advisoryshort/CB-K21-0666


OTRS: Mehrere Schwachstellen

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service oder Cross Site Scripting Angriff durchzuführen.

http://www.cert-bund.de/advisoryshort/CB-K21-0669


Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531)

https://www.ibm.com/blogs/psirt/security-bulletin-icu-vulnerability-affects-ibm-control-center-cve-2020-10531/


Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Java vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-cloud-pak-for-data-might-be-affected-by-some-underlying-java-vulnerabilities/


Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying WebSphere Liberty vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-cloud-pak-for-data-might-be-affected-by-some-underlying-websphere-liberty-vulnerabilities/


Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-password-synchronization-plug-in-for-windows-ad-affected-by-multiple-vulnerabilities-cve-2021-20483-cve-2021-20488-2/


Security Bulletin: Vulnerability in the AIX trace facility (CVE-2021-29706)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-trace-facility-cve-2021-29706/


Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-oracle-mysql-2/


Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-jasperreports-vulnerabilities-affect-ibm-control-center-cve-2020-9410-cve-2018-18809/


Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492)

https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-java-batch-is-vulnerable-to-an-xml-external-entity-injection-xxe-vulnerability-cve-2021-20492-2/