Tageszusammenfassung - 24.06.2021

End-of-Day report

Timeframe: Mittwoch 23-06-2021 18:00 - Donnerstag 24-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl

News

Malicious spam campaigns delivering banking Trojans

In mid-March 2021, we observed two new spam campaigns delivering banking Trojans. The payload in most cases was IcedID, but we have also seen a few QBot (aka QakBot) samples.

https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917/


Yet Another Archive Format Smuggling Malware

The use of novel disk image files to encapsulate malware distributed via spam has been a theme that we have highlighted over the past couple of years. As anticipated, we have seen more disk image file formats being used, in addition to .ISO, .IMG, and .DAA which we blogged about.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/


Online Credit Card Theft - A Brief Overview of Online Fraud and Abuse - Part 1

Many clients that we work with host and operate ecommerce websites which are frequent targets of attackers. The goal of these attacks is to steal credit card details from unsuspecting victims and sell them on the black market for a profit. The online ecommerce environment is diverse, constituting many different content management system (CMS) platforms and payment gateways all of which have their own features and risks. In this post I will attempt to demystify this cluttered environment [...]

https://blog.sucuri.net/2021/06/online-credit-card-theft-online-fraud.html


The May/June 2021 issue of our SWITCH Security Report is available!

Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available!

https://securityblog.switch.ch/2021/06/24/the-may-june-2021-issue-of-our-switch-security-report-is-available/


Complicated Active Directory setups are undermining security

Researchers have found several flaws in the Active Directory Certificate Service that can lead to credential theft, privilege escalation, and domain persistence.

https://blog.malwarebytes.com/reports/2021/06/complicated-active-directory-setups-are-undermining-security/


Announcing a unified vulnerability schema for open source

In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work.

https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html


Betrügerische -Voicemail- SMS massenhaft im Umlauf!

Eine neue Welle betrügerischer SMS-Nachrichten fegt momentan über den deutschsprachigen Raum hinweg. In diesen SMS ist von einer neuen Voicemail, also einer Sprachnachricht, die Rede. Ein Link zum Abhören führt zu einer Fake-Seite, auf der eine App heruntergeladen werden soll. Achtung: Die App enthält Schadsoftware!

https://www.watchlist-internet.at/news/betruegerische-voicemail-sms-massenhaft-im-umlauf/

Vulnerabilities

Atlassian Bugs Could Have Led to 1-Click Takeover

A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket and on-prem products.

https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/167203/


Sicherheitsupdate: Angreifer könnten eigene Befehle auf Qnap NAS ausführen

Qnap hat das Betriebssystem seiner Netzwerkspeicher gegen Command-Injection-Attacken abgesichert.

https://heise.de/-6117589


Kritische Admin-Lücke bedroht VMware Carbon Black App Control

Angreifer könnten Systeme mit der Server-Schutzlösung Carbon Black App Control von VMware attackieren.

https://heise.de/-6117422


Security updates for Thursday

Security updates have been issued by Mageia (apache-mod_auth_openidc, bind, bluez, cifs-utils, ffmpeg, gnome-autoar, guacd, kernel, kernel-linus, qtwebsockets5, slic3r, tunnel, wavpack, wireshark, and xscreensaver), openSUSE (apache2, cryptctl, go1.15, libnettle, python-rsa, salt, thunderbird, wireshark, libvirt, sbc, libqt5-qtmultimedia, xstream, and xterm), and SUSE (cryptctl, freeradius-server, libnettle, and libsolv).

https://lwn.net/Articles/860809/


129 Dell models, including Secured-core PCs, vulnerable to new firmware flaws

Around 129 Dell consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs, have been found to be vulnerable to a series of vulnerabilities that can allow threat actors to pass as the official dell.com domain and trigger malicious BIOS/UEFI firmware updates.

https://therecord.media/129-dell-models-including-secured-core-pcs-vulnerable-to-new-firmware-flaws/


Zyxel says a threat actor is targeting its enterprise firewall and VPN devices

Networking equipment vendor Zyxel has emailed customers this week to alert them about a series of attacks that have been targeting some of the companys high-end enterprise-focused firewall and VPN server products.

https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterprise-firewall-and-vpn-devices/


Security Advisory - Logic Vulnerability in Huawei WATCH Kid Product

http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-01-logic-en


Security Bulletin: IBM MQ is vulnerable to an issue within Pacemaker. (CVE-2020-25654)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-within-pacemaker-cve-2020-25654/


Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates-process-is-vulnerable-to-dll-hijacking-cve-2019-4588-2/


Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based (June 2021)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-tivoli-monitoring-for-virtual-environments-agent-for-linux-kernel-based-june-2021/


Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-authenticated-user-to-overwrite-arbirary-files-due-to-improper-group-permissions-cve-2020-4945/


Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to an issue within IBM® Runtime Environment Java- Technology Edition, Version 7. (CVE-2020-14782, CVE-2020-14781)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru-is-vulnerable-to-an-issue-within-ibm-runtime-environment-java-technology-edition-version-7-cve-2020-14782-cve-2020-14781/


Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-node-js-vulnerability-7/


Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-13/


Security Bulletin: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2021-20579/


Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-identified-in-ibm-websphere-application-server-used-by-ibm-infosphere-master-data-management-5/


Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-user-to-access-and-change-the-configuration-of-db2-due-to-a-race-condition-via-a-symbolic-link-cve-2020-4885/


Drupal: Mehrere Schwachstellen ermöglichen Manipulation von Dateien

http://www.cert-bund.de/advisoryshort/CB-K21-0686