Tageszusammenfassung - 09.07.2021
End-of-Day report
Timeframe: Donnerstag 08-07-2021 18:00 - Freitag 09-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan RichterNews
Kaseya warns of phishing campaign pushing fake security updates
Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates.Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.Hancitor tries XLL as initial malware file, (Fri, Jul 9th)
On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead.https://isc.sans.edu/diary/rss/27618
Sicherheitsupdates: Admin-Lücke bedroht Cisco Business Process Automation
Der Netzwerkausrüster Cisco hat für verschiedene Produkte Patches veröffentlicht, die mehrere Sicherheitslücken schließen.ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks
The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-technique-recent-attacks
CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict
In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574. This blog takes a deeper look at the root cause of this vulnerability.Ransomwhere project wants to create a database of past ransomware payments
A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem.https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd).https://lwn.net/Articles/862299/
Rockwell Automation MicroLogix 1100
This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation MicroLogix 1100.https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01
MDT AutoSave
This advisory contains mitigations for Inadequate Encryption Strength, SQL Injection, Relative Path Traversal, Command Injection, Uncontrolled Search Path Element, Generation of Error Message Containing Sensitive Information, and Unrestricted Upload of File with Dangerous Type in MDT Software in MDT Autosave Products.https://us-cert.cisa.gov/ics/advisories/icsa-21-189-02
Vulnerabilities in CODESYS V2 runtime systems
BOSCH-SA-475180: The control systems SYNAX, Visual Motion, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contain PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published a security bulletin (1) about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets which may result in a denial of service condition or allow in worst case remote code execution.https://psirt.bosch.com/security-advisories/bosch-sa-475180.html
voidtools "Everything" vulnerable to HTTP header injection
https://jvn.jp/en/jp/JVN68971465/
Apache Pulsar vulnerability CVE-2021-22160
https://support.f5.com/csp/article/K68146245
Apache vulnerability CVE-2021-30641
https://support.f5.com/csp/article/K13815051
Advisory: Denial of service vulnerability on Automation Runtime webserver
https://www.br-automation.com/downloads_br_productcatalogue/assets/1625405588264-en-original-1.0.pdf