End-of-Day report
Timeframe: Dienstag 03-08-2021 18:00 - Mittwoch 04-08-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
New Cobalt Strike bugs allow takedown of attackers- servers
Security researchers have discovered Cobalt Strike denial of service (DoS) vulnerabilities that allow blocking beacon command-and-control (C2) communication channels and new deployments.
https://www.bleepingcomputer.com/news/security/new-cobalt-strike-bugs-allow-takedown-of-attackers-servers/
Phishing Campaign Dangles SharePoint File-Shares
Attackers spoof sender addresses to appear legitimate in a crafty campaign that can slip past numerous detections, Microsoft researchers have discovered.
https://threatpost.com/phishing-sharepoint-file-shares/168356/
Three Problems with Two Factor Authentication, (Tue, Aug 3rd)
Usability remains a challenge for two-factor authentication. I recently came across a review of a healthcare-related mobile app, and a one-star review complained about how unusable the application is due to its two-factor requirement.
https://isc.sans.edu/diary/rss/27704
Pivoting and Hunting for Shenanigans from a Reported Phishing Domain, (Wed, Aug 4th)
I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institutions actual page and had input fields for victims to input their credentials.
https://isc.sans.edu/diary/rss/27710
SAML is insecure by design
SAML uses signatures based on computed values. The practice is inherently insecure and thus SAML as a design is insecure.
https://joonas.fi/2021/08/saml-is-insecure-by-design/
Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader
Cisco Talos recently discovered a use-after-free vulnerability in a specific function of tinyobjloader.
https://blog.talosintelligence.com/2021/08/vuln-spotlight-.html
Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure
Programmable Logic Controllers (PLC) and Safety Instrumented Systems (SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting.
https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitoring/
OpSec Leaky Images
Hackers love your marketing department. Fact! Your marketing department love telling the world what happens in your company, then they attach images to the posts, often of staff at work.
https://www.pentestpartners.com/security-blog/opsec-leaky-images/
Achtung Scheckbetrug: Restaurant-BesitzerInnen erhalten betrügerische Reservierungsanfragen!
BetrügerInnen versuchen mit vermeintlichen Reservierungen an das Geld von Restaurant-BesitzerInnen zu kommen: Wenn ein vermeintlicher Gast aus dem Ausland für eine größere Gruppe reservieren und das Geld vorab per Scheck bezahlen will, gilt es vorsichtig zu sein.
https://www.watchlist-internet.at/news/achtung-scheckbetrug-restaurant-besitzerinnen-erhalten-betruegerische-reservierungsanfragen/
IntelMQ 3.0 - Configuration, Domain based workflow, IEPs
We are happy to announce the completion of the IntelMQ 3.0 milestone.
https://cert.at/en/blog/2021/8/intelmq-30-domain-based-workflow-ieps
Shodan Verified Vulns 2021-08-01
Schwachstellen machen leider keine Pause im Sommer und entsprechend haben wir auch diesen Monat wieder einen Blick auf jene geworfen, die Shodan in Österreich sieht.
https://cert.at/de/aktuelles/2021/8/shodan-verified-vulns-2021-08-01
Vulnerabilities
INFRA:HALT: Neue Schwachstellen im TCP/IP-Stack von Industriegeräten entdeckt
Das Forscherteam um "Amnesia:33", "Number:Jack" und Co. hat weitere Schwachstellen gefunden - diesmal im "NicheStack" für den Bereich Operational Technology.
https://heise.de/-6154631
Security updates for Wednesday
Security updates have been issued by Debian (asterisk, libpam-tacplus, and wordpress), Fedora (buildah and podman), openSUSE (thunderbird and webkit2gtk3), Oracle (kernel and varnish:6), SUSE (kernel, kvm, and webkit2gtk3), and Ubuntu (libdbi-perl and php-pear).
https://lwn.net/Articles/865192/
Security Bulletin: IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-could-allow-a-remote-attacker-to-execute-arbitrary-code-due-to-cve-2021-33195/
Security Bulletin: Vulnerability in Apache Commons IO may affect Cúram Social Program Management (CVE-2021-29425)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-io-may-affect-cram-social-program-management-cve-2021-29425/
Security Bulletin: Vulnerability in Dojo may affect Cúram Social Program Management (CVE-2020-5258)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may-affect-cram-social-program-management-cve-2020-5258/
Security Bulletin: IBM API Connect is impacted by reflected cross site scripting (CVE-2020-4707)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-reflected-cross-site-scripting-cve-2020-4707/
PHOENIX CONTACT : Products utilizing WIBU SYSTEMS CodeMeter components in versions prior to V7.21a
https://cert.vde.com/de-de/advisories/vde-2021-036
PHOENIX CONTACT : DoS for PLCnext Control devices in versions prior to 2021.0.5 LTS
https://cert.vde.com/de-de/advisories/vde-2021-029
Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K21-0830
Cross Site Request Forgery (CSRF) vulnerability in Bosch IP cameras
https://psirt.bosch.com/security-advisories/bosch-sa-033305-bt.html
SYSS-2021-042: Tiny Java Web Server and Servlet Container (TJWS) - Reflected Cross-Site Scripting
https://www.syss.de/pentest-blog/syss-2021-042-tiny-java-web-server-and-servlet-container-tjws-reflected-cross-site-scripting