Tageszusammenfassung - 12.08.2021

End-of-Day report

Timeframe: Mittwoch 11-08-2021 18:00 - Donnerstag 12-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

PrintNightmare: Schon wieder eine Drucker-Lücke in Windows ohne Patch

Microsoft kriegt seine Druckerverwaltung offensichtlich nicht in den Griff, Angreifer könnten sich erneut System-Rechte verschaffen.

https://heise.de/-6163743

Accenture Opfer der Lockbit Ransomware

Das IT-Beratungsunternehmen Accenture ist wohl Opfer eines Cyber-Angriffs mit der Lockbit-Ransomware geworden. Das Unternehmen hat den Angriff inzwischen eingestanden. Bei dem Ransomware-Befall scheinen auch Daten abgezogen worden zu sein. Hier einige Informationen, was inzwischen bekannt ist.

https://www.borncity.com/blog/2021/08/12/accenture-opfer-der-lockbit-ransomware/

QR Code Scammers Get Creative with Bitcoin ATMs

Threat actors are targeting everyone from job hunters to Bitcoin traders to college students wanting a break on their student loans, by exploiting the popular technologys trust relationship with users.

https://threatpost.com/qr-code-scammers-bitcoin-atms/168621/

7 ways to harden your environment against compromise

Here at the global Microsoft Compromise Recovery Security Practice (CRSP), we work with customers who have experienced disruptive security incidents to restore trust in identity systems and remove adversary control. During 2020, the team responded to many incidents involving ransomware and the deployment of crypto-mining tools.

https://www.microsoft.com/security/blog/2021/08/11/7-ways-to-harden-your-environment-against-compromise/

Best Practices for Web Form Security

Web form security -- the set of tools and practices intended to protect web forms from attacks and abuse -- is one of the most critical aspects of overall website security. Web forms allow users to interact with your site and enable a lot of useful functionality. However, once a user can interact with your site to do something useful there is a new attack surface for a hacker to exploit.

https://blog.sucuri.net/2021/08/best-practices-for-web-form-security.html

Experts Shed Light On New Russian Malware-as-a-Service Written in Rust

A nascent information-stealing malware sold and distributed on underground Russian underground forums has been written in Rust, signalling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts.

https://thehackernews.com/2021/08/experts-shed-light-on-new-russian.html

Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT

Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505s arsenal is ServHelper.

https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html

Why No HTTPS? The 2021 Version

More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the worlds largest websites that didnt properly redirect insecure requests to secure ones. We updated it December before last and pleasingly, noted that more websites than [...]

https://www.troyhunt.com/why-no-https-the-2021-version/

August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws

Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products. The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks.

https://www.securityweek.com/august-2021-ics-patch-tuesday-siemens-schneider-address-over-50-flaws

IISerpent: Malware-driven SEO fraud as a service

The last in our series on IIS threats introduces a malicious IIS extension used to manipulate page rankings for third-party websites

https://www.welivesecurity.com/2021/08/11/iiserpent-malware-driven-seo-fraud-service/

Affiliates Unlocked: Gangs Switch Between Different Ransomware Families

The demise of Sodinokibi has led to a surge in LockBit activity, while there-s evidence affiliates are using multiple ransomware families to achieve their goals.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-trends-lockbit-sodinokibi

CobaltSpam tool can flood Cobalt Strike malware servers

A security researcher has published this week a tool to flood Cobalt Strike servers-often used by malware gangs-with fake beacons in order to corrupt their internal databases of infected systems.

https://therecord.media/cobaltspam-tool-can-flood-cobalt-strike-malware-servers/

Vulnerabilities

Intel schließt Sicherheitslücken in Laptops, Linux-Treibern & Co.

Angreifer könnten Intel-PCs attackieren und im schlimmsten Fall die volle Kontrolle über Computer erlangen. Sicherheitsupdates sind verfügbar.

https://heise.de/-6163478

JavaScript-Framework: Next.js 11.1 behebt eine Open-Redirect-Sicherheitslücke

Das React-Framework Next.js erhält knapp zwei Monate nach der letzten Hauptversion ein Update auf Version 11.1, um mögliche Open Redirects zu verhindern.

https://heise.de/-6163575

Security updates for Thursday

Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (firefox-esr, libspf2, and openjdk-11-jre-dcevm), Fedora (bluez, fetchmail, and prosody), Oracle (edk2, glib2, kernel, and libuv), Red Hat (.NET Core 3.1), SUSE (cpio), and Ubuntu (firefox and openssh).

https://lwn.net/Articles/866076/

Plone vulnerable to open redirect

https://jvn.jp/en/jp/JVN50804280/

Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-csv-injection-cve-2021-20509/