End-of-Day report
Timeframe: Montag 16-08-2021 18:00 - Dienstag 17-08-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Malware dev infects own PC and data ends up on intel platform
A malware developer unleashed their creation on their system to try out new features and the data ended up on a cybercrime intelligence platform, exposing a glimpse of the cybercriminal endeavor.
https://www.bleepingcomputer.com/news/security/malware-dev-infects-own-pc-and-data-ends-up-on-intel-platform/
Copyright scammers turn to phone numbers instead of web links
Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers.
https://nakedsecurity.sophos.com/2021/08/16/copyright-scammers-turn-to-phone-numbers-instead-of-web-links/
Laravel (<=v8.4.2) exploit attempts for CVE-2021-3129 (debug mode: Remote code execution), (Tue, Aug 17th)
The vulnerability and this PoC exploit are well documented as CVE-2021-3129. The vulnerability takes advantage of the Ignition "Solutions." Solutions enable the developer to inject code snippets to aid in debugging.
https://isc.sans.edu/diary/rss/27758
Vorsicht vor Fake-Zahlungsbestätigungen von Kriminellen auf bazar.at
Wer auf bazar.at Waren zum Verkauf anbietet, muss sich momentan vor kriminellen InteressentInnen in Acht nehmen! Diese fragen nach der Verfügbarkeit und behaupten, die Zahlung über bazar.at abzuwickeln. Achtung: bazar.at bietet keine solche Zahlungsart und die Bestätigungsseiten sind gefälscht!
https://www.watchlist-internet.at/news/vorsicht-vor-fake-zahlungsbestaetigungen-von-kriminellen-auf-bazarat/
Thoughts on Detection
After helping with many clients with numerous detection rules, I observed one consistent theme that kept popping up, many of the rules were written in a way that seemed to be missing a large portion of the potential detection opportunities.
https://posts.specterops.io/thoughts-on-detection-3c5cab66f511
1Password Secret Retrieval - Methodology and Implementation
1Password is a password manager developed by AgileBits Inc., providing a place for users to store various passwords, software licenses, and other sensitive information in a virtual vaults secured with a PBKDF2 master password.
https://posts.specterops.io/1password-secret-retrieval-methodology-and-implementation-6a9db3f3c709
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
Personal VPN usage on organizations- networks can obscure network visibility and open the door to cybercrime such as data exfiltration.
https://unit42.paloaltonetworks.com/person-vpn-network-visibility/
ProxyShell in Österreich
In seinem Talk auf der BlackHat US 2021 stellte Sicherheitsforscher Orange Tsai eine weitere Kombination von Lücken vor, die es AngreiferInnen ermöglicht, beliebige Befehle als NT Authority\System über das Netzwerk auszuführen, ohne sich authentifizieren zu müssen.
https://cert.at/de/aktuelles/2021/8/proxyshell-in-osterreich
New HolesWarm botnet targets Windows and Linux servers
A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware.
https://therecord.media/new-holeswarm-botnet-targets-windows-and-linux-servers/
Vulnerabilities
Fortinet patches bug letting attackers takeover servers remotely
Fortinet has released security updates to address a command injection vulnerability that can let attackers take complete control of servers running vulnerable FortiWeb web application firewall (WAF) installations.
https://www.bleepingcomputer.com/news/security/fortinet-patches-bug-letting-attackers-takeover-servers-remotely/
Security: Glibc-Bugfix machte Lücke einfacher ausnutzbar
Das Beheben von Sicherheitslücken ist nicht immer so einfach, wie es anfangs scheint, was nun auch das Team der Glibc erfahren musste.
https://www.golem.de/news/security-glibc-bugfix-machte-luecke-einfacher-ausnutzbar-2108-158942-rss.html
ZDI-21-971: (Pwn2Own) Zoom Heap based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zoom Clients. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-971/
Sicherheitsupdate für Google Chrome beseitigt Angriffsmöglichkeiten
Für die Desktop-Fassungen des Chrome-Browsers (Win, macOS & Linux) ist eine Aktualisierung verfügbar, die mehrere Schwachstellen beseitigt.
https://heise.de/-6167542
Security updates for Tuesday
Security updates have been issued by Fedora (firefox), openSUSE (cpio and rpm), Oracle (compat-exiv2-026, exiv2, firefox, kernel, kernel-container, qemu, sssd, and thunderbird), Red Hat (cloud-init, edk2, kernel, kpatch-patch, microcode_ctl, and sssd), and SUSE (cpio, firefox, and libcares2).
https://lwn.net/Articles/866567/
Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability
Researchers at FireEye-s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.
https://www.securityweek.com/millions-iot-devices-exposed-attacks-due-cloud-platform-vulnerability
iCloud for Windows 12.5
https://support.apple.com/kb/HT212607
Security Bulletin: Vulnerabilities in Node.js in IBM DataPower Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-in-ibm-datapower-gateway/
Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities (CVE-2020-1971, CVE-2020-15999, CVE-2017-12652)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-security-vulnerabilities-cve-2020-1971-cve-2020-15999-cve-2017-12652/
Security Bulletin: IBM DataPower Gateway potentially vulnerable to CSRF attack
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-potentially-vulnerable-to-csrf-attack/
Security Bulletin: IBM API Connect on cloud is impacted by HTTP header injection vulnerability (CVE-2020-4706)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-on-cloud-is-impacted-by-http-header-injection-vulnerability-cve-2020-4706/
Security Bulletin: Prototype pollution flaw in y18n in IBM DataPower Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-flaw-in-y18n-in-ibm-datapower-gateway/
Security Bulletin: IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-27919)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-a-vulnerability-in-golang-cve-2021-27919/
Security Bulletin: Multiple vulnerabilities in AngularJS
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-angularjs/
Security Bulletin: Potential DoS in IBM DataPower Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-potential-dos-in-ibm-datapower-gateway/
Security Bulletin: IBM DataPower Gateway vulnerable to a DoS
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vulnerable-to-a-dos/
Synology-SA-21:22 DSM
https://www.synology.com/en-global/support/security/Synology_SA_21_22
Apache HTTP Server: Schwachstelle ermöglicht Denial of Service
http://www.cert-bund.de/advisoryshort/CB-K21-0878
Integer Overflow to RCE - ManageEngine Asset Explorer Agent (CVE-2021-20082)
https://medium.com/tenable-techblog/integer-overflow-to-rce-manageengine-asset-explorer-agent-cve-2021-20082-7e54cb2caad5
Stored XSS to RCE Chain as SYSTEM in ManageEngine ServiceDesk Plus
https://medium.com/tenable-techblog/stored-xss-to-rce-chain-as-system-in-manageengine-servicedesk-plus-493c10f3e444