End-of-Day report
Timeframe: Mittwoch 16-06-2021 18:00 - Donnerstag 17-06-2021 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
Criminals are mailing hacked Ledger devices to steal cryptocurrency
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.
https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-hacked-ledger-devices-to-steal-cryptocurrency/
Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th)
The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.
https://isc.sans.edu/diary/rss/27536
Top 5 ICS Incident Response Tabletops and How to Run Them
In this blog SANS instructor, Dean Parsons, discusses the top five ICS incident response table tops and how to run them. How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against Ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure?
https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them?msc=rss
What you need to know about Process Ghosting, a new executable image tampering attack
This blog describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it-s difficult to scan or delete it - and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
Google schickt Framework gegen Supply-Chain-Angriffe ins Rennen
SLSA soll die Integrität von Code vom Einchecken ins Repository über den Build-Prozess bis zum Verwenden von Paketen sicherstellen.
https://heise.de/-6073057
Cybercriminals go after Amazon Prime Day Shoppers
- In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious
- Almost 1 out of 2 (46%) of new domains registered containing the word -Amazon- are malicious
- Almost 1 out of 3 (32%) of new domains registered with the word -Amazon- are deemed suspicious
https://blog.checkpoint.com/2021/06/16/cybercriminals-go-after-amazon-prime-day-shoppers/
Vulnerabilities
Hitachi Application Server Help vulnerable cross-site scripting
The following products are affected by the vulnerability.
* Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier
* Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier
Solution: Apply the appropriate latest version of the help according to the information provided by the developer.
https://jvn.jp/en/jp/JVN03776901/
Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015
Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didnt make it into Drupal Core 8.0.x and port them.The module doesnt sufficiently handle block access control on its EntityView plugin.
https://www.drupal.org/sa-contrib-2021-015
Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017
This module provides a revision UI to Block Content entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.
https://www.drupal.org/sa-contrib-2021-017
Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016
This module provides a revision UI to Linky entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.
https://www.drupal.org/sa-contrib-2021-016
Cisco Security Advisories
Cisco hat Security Advisories zu acht Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, vier als "High".
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F06%2F16&firstPublishedEndDate=2021%2F06%2F16
Security updates for Thursday
Security updates have been issued by CentOS (gnupnp and postgresql), Fedora (dino, microcode_ctl, and xen), Mageia (apache, gsoap, libgd, openssh, perl-Image-ExifTool, python-bleach, and qt4 and qtsvg5), openSUSE (chromium, containerd, docker, runc, djvulibre, htmldoc, kernel, libjpeg-turbo, libopenmpt, libxml2, spice, squid, and ucode-intel), Red Hat (dhcp and glib2), SUSE (apache2, inn, java-1_8_0-openjdk, and webkit2gtk3), and Ubuntu (nettle).
https://lwn.net/Articles/860128/
D-LINK Router: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen.
http://www.cert-bund.de/advisoryshort/CB-K21-0666
OTRS: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service oder Cross Site Scripting Angriff durchzuführen.
http://www.cert-bund.de/advisoryshort/CB-K21-0669
Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531)
https://www.ibm.com/blogs/psirt/security-bulletin-icu-vulnerability-affects-ibm-control-center-cve-2020-10531/
Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Java vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-cloud-pak-for-data-might-be-affected-by-some-underlying-java-vulnerabilities/
Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying WebSphere Liberty vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-cloud-pak-for-data-might-be-affected-by-some-underlying-websphere-liberty-vulnerabilities/
Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-password-synchronization-plug-in-for-windows-ad-affected-by-multiple-vulnerabilities-cve-2021-20483-cve-2021-20488-2/
Security Bulletin: Vulnerability in the AIX trace facility (CVE-2021-29706)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-trace-facility-cve-2021-29706/
Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-oracle-mysql-2/
Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-jasperreports-vulnerabilities-affect-ibm-control-center-cve-2020-9410-cve-2018-18809/
Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-java-batch-is-vulnerable-to-an-xml-external-entity-injection-xxe-vulnerability-cve-2021-20492-2/