Tageszusammenfassung - 29.06.2021

End-of-Day report

Timeframe: Montag 28-06-2021 18:00 - Dienstag 29-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer

News

Ransomware gangs now creating websites to recruit affiliates

Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics, criminal operations have been forced to promote their service through alternative methods.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/

Microsoft successfully hit by dependency hijacking again

Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency being used by an open-source project.

https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-by-dependency-hijacking-again/

Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground

After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, its happened again - with big security ramifications.

https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/

CFBF Files Strings Analysis, (Mon, Jun 28th)

The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format.

https://isc.sans.edu/diary/rss/27576

Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th)

I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information.

https://isc.sans.edu/diary/rss/27578

Verschlüsselungstrojaner REvil hat es nun auf virtuelle Maschinen abgesehen

Mehrere Sicherheitsforscher warnen vor einer neuen REvil-Version, die noch mehr Geräte bedroht.

https://heise.de/-6122156

Analyzing CVE-2021-1665 - Remote Code Execution Vulnerability in Windows GDI+

Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-1665-remote-code-execution-vulnerability-in-windows-gdi/

Instagram: Kooperationsanfragen von wegego.com sind Fake

Momentan werden Instagram-NutzerInnen vermehrt von einem Profil namens sara.wegego - einer angeblichen Brand Ambassador Managerin bei wegego.com - angeschrieben. Ihnen wird eine Kooperation mit dem Unternehmen angeboten.

https://www.watchlist-internet.at/news/instagram-kooperationsanfragen-von-wegegocom-sind-fake/

CISA Begins Cataloging Bad Practices that Increase Cyber Risk

In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions.

https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-cataloging-bad-practices-increase-cyber-risk

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by Debian (klibc and libjdom2-java), Mageia (bash, glibc, gnutls, java-openjdk, kernel, kernel-linus, leptonica, libgcrypt, openjpeg2, tor, and trousers), openSUSE (bouncycastle, chromium, go1.16, and kernel), Oracle (docker-engine docker-cli and qemu), Red Hat (kpatch-patch), and SUSE (arpwatch, go1.16, kernel, libsolv, microcode_ctl, and python-urllib3, python-requests).

https://lwn.net/Articles/861310/

PoC released for dangerous Windows PrintNightmare bug

Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service (spoolsv.exe) that can allow a total compromise of Windows systems.

https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/

Security Bulletin: Vulnerabilities in Python, Tornado, and Urllib3 affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python-tornado-and-urllib3-affect-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore/

Security Bulletin: IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-dataquant-fix-for-all-apache-pdf-box-publicly-disclosed-vulnerability/

Security Bulletin: IBM Spectrum Protect Plus has Insecure File Permissions due to not setting the Sticky Bit (CVE-2021-20490)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus-has-insecure-file-permissions-due-to-not-setting-the-sticky-bit-cve-2021-20490/

Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-ibm-app-connect-enterprise-v11-are-affected-by-vulnerabilities-in-node-js-cve-2021-3450-cve-2021-3449/

Security Bulletin: Multiple vulnerabilities in open source libraries affects Tivoli Netcool/OMNIbus WebGUI

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-open-source-libraries-affects-tivoli-netcool-omnibus-webgui/

Security Bulletin: Vulnerabilities in Redis, MinIO, Golang, and Urllib3 affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-minio-golang-and-urllib3-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift/

Security Bulletin: Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-mongodb-node-js-docker-and-xstream-affect-ibm-spectrum-protect-plus/

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-3449 , CVE-2021-3450)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect-enterprise-v11-cve-2021-3449-cve-2021-3450-2/

Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-websphere-application-server-3/

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-23839, CVE-2021-23840)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect-enterprise-v11-cve-2021-23839-cve-2021-23840-2/

Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-authenticated-user-to-overwrite-arbirary-files-due-to-improper-group-permissions-cve-2020-4945-3/

Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-user-to-access-and-change-the-configuration-of-db2-due-to-a-race-condition-via-a-symbolic-link-cve-2020-4885-2/