End-of-Day report
Timeframe: Donnerstag 29-07-2021 18:00 - Freitag 30-07-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
[SANS ISC] Infected With a .reg File
I published the following diary on isc.sans.edu: -Infected With a .reg File-: Yesterday, I reported a piece of malware that uses archive.org to fetch its next stage. Today, I spotted another file that is also interesting: A Windows Registry file (with a -.reg- extension). Such files are text files created by exporting values [...]
https://blog.rootshell.be/2021/07/30/sans-isc-infected-with-a-reg-file/
The Life Cycle of a Breached Database
Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Heres a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.
https://krebsonsecurity.com/2021/07/the-life-cycle-of-a-breached-database/
Threat Spotlight: Solarmarker
Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger.A previous staging module, "d.m," used with this malware has been replaced by a new module dubbed "Mars."
https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html
This Week in Security: Fail2RCE, TPM Sniffing, Fishy Leaks, and Decompiling
Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker [...]
https://hackaday.com/2021/07/30/this-week-in-security-fail2rce-tpm-sniffing-fishy-leaks-and-decompiling/
Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers
RiskIQs Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russias aggressive cyber campaigns topped the list of President Bidens strategic concerns. Given this context, RiskIQ-s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below.
https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/
NSA Releases Guidance on Securing Wireless Devices While in Public
The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it.
https://us-cert.cisa.gov/ncas/current-activity/2021/07/30/nsa-releases-guidance-securing-wireless-devices-while-public
Python team fixes bug that allowed takeover of PyPI repository
The Python security team has fixed today three vulnerabilities impacting the Python Package Index (PyPI), the official repository for Python libraries, including one that could have allowed a threat actor to take full control over the portal.
https://therecord.media/python-team-fixes-bug-that-allowed-takeover-of-pypi-repository/
Vulnerabilities
Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php
Cisco Web Security Appliance Privilege Escalation Vulnerability
A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. (Version 1.1 - Added a new fixed release.)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-scr-web-priv-esc-k3HCGJZ
Multiple Vulnerabilities Patched in WordPress Download Manager
On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.
https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/
Security updates for Friday
Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf).
https://lwn.net/Articles/864684/
PEPPERL+FUCHS: Security Advisory for PrintNightmare Vulnerability in multiple HMI Devices
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
https://cert.vde.com/de-de/advisories/vde-2021-034
Hitachi ABB Power Grids eSOMS
This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Hitachi ABB Power Grids eSOMS management software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-210-01
Wibu-Systems CodeMeter Runtime
This advisory contains mitigations for Buffer Over-read vulnerabilities in Wibu-Systems CodeMeter Runtime license manager software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02
Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781)
https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerability-affects-ibm-partner-engagement-manager-cve-2021-29781/
Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-and-wlp-affects-ibm-cloud-application-business-insights-2/
Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29736)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-privilege-escalation-vulnerability-cve-2021-29736/
Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25215)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-aix-cve-2021-25215/
Security Bulletin: i2 Analyze has an information disclosure vulnerability (CVE-2019-17638)
https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyze-has-an-information-disclosure-vulnerability-cve-2019-17638/
Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ( CVE-2021-20417, CVE-2021-20415)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-guardium-data-encryption-gde-cve-2021-20417-cve-2021-20415-2/