Tageszusammenfassung - 18.08.2021

End-of-Day report

Timeframe: Dienstag 17-08-2021 18:00 - Mittwoch 18-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Kritische Lücke in Blackberry QNX OS gefährdet medizinische Geräte

Blackberry hat in seinem Echtzeitbetriebssystem QNX einer gefährliche Schwachstelle geschlossen.

Kritische Sicherheitslücke: Angreifer könnten Millionen IoT-Geräte belauschen

Sicherheitsforscher warnen vor einer Schwachstelle, die etwa Millionen Babyphones und IP-Kameras gefährdet. Geräte lassen sich nicht ohne Weiteres schützen.

https://heise.de/-6168381

Fortinet: Wichtiges Sicherheitsupdate für FortiWeb OS in Vorbereitung

Für eine Lücke mit High-Einstufung liegt Exploit-Code vor, Fixes kommen aber erst Ende August. Betreiber von FortiWeb WAFs sollten Vorsichtsmaßnahmen treffen.

https://heise.de/-6168205

Vorsicht! Kostenloses Antivirenprogramm -Total AV- entpuppt sich als Kostenfalle

Immer wieder melden uns verunsicherte LeserInnen das Antivirenprogramm -Total AV-. Der Grund dafür sind nicht-transparente Kosten sowie Probleme beim Kündigen des Abo-Vertrags. Gleichzeitig wird -Total AV- auf vielen Seiten als das beste kostenlose Antivirenprogramm beworben. Wir haben uns das Programm genauer angesehen.

https://www.watchlist-internet.at/news/vorsicht-kostenloses-antivirenprogramm-total-av-entpuppt-sich-als-kostenfalle/

Sicherheitswarnung für Synology DiskStation Manager und UC SkyNAS

Der Hersteller Synology hat eine Sicherheitswarnung für seinen DiskStation Manager (Version <6.2.4-25556-2 ; 7.0) herausgegeben. In der Firmware der Geräte gibt es gleich mehrere Sicherheitslücken. Gefährdet sind auch UC SkyNAS-Einheiten. Von Synology gibt es bereits erste Firmware-Updates. Von der Ransomware eCh0raix gibt es eine neue Variante, die einen neuen Bug in QNAP und Synology NAS Devices ausnutzen kann.

https://www.borncity.com/blog/2021/08/18/sicherheitswarnung-fr-synology-diskstation-manager-und-uc-skynas/

Diavol ransomware sample shows stronger connection to TrickBot gang

A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware.

https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/

Kerberos Authentication Spoofing: Don-t Bypass the Spec

Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS.

https://threatpost.com/kerberos-authentication-spoofing/168767/

5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th)

Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back.

https://isc.sans.edu/diary/rss/27762

Detecting Embedded Content in OOXML Documents

On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we-re sharing a technique we use to detect and cluster Microsoft Office documents - specifically those in the Office Open XML (OOXML) file format. Additionally, we-re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique.

https://www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-content-in-ooxml-documents.html

WordPress Malware Camouflaged As Code

In today-s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker-s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing.

https://www.wordfence.com/blog/2021/08/wordpress-malware-camouflaged-as-code/

IT Risk Team Discovers Previously Unknown Vulnerability in Autodesk Software During Client Penetration Test

During a recent client engagement, the DGC penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity.

https://www.tripwire.com/state-of-security/security-data-protection/risk-team-discovers-unknown-vulnerability-autodesk-software/

Houdini Malware Returns and Amazons Sidewalk Enter Corporate Networks

The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows - and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace.

https://www.securityweek.com/houdini-malware-returns-and-amazons-sidewalk-enter-corporate-networks

Breaking the Android Bootloader on the Qualcomm Snapdragon 660

This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series [...]

https://www.pentestpartners.com/security-blog/breaking-the-android-bootloader-on-the-qualcomm-snapdragon-660/

Dumpster diving is a filthy business

One man's trash is another man's treasure - here's why you should think twice about what you toss in the recycling bin

https://www.welivesecurity.com/2021/08/17/dumpster-diving-is-filthy-business/

Cobalt Strike: Detect this Persistent Threat

Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular in red team activities and used for malicious purposes by threat actors.

https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/

Vulnerabilities

Adobe sichert Photoshop & Co. außer der Reihe ab

Der Softwarehersteller Adobe schließt unter anderem in Bridge, Media Encoder und XMP Toolkit SDK Sicherheitslücken.

https://heise.de/-6168132

Security updates for Wednesday

Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, [...]

https://lwn.net/Articles/866669/

ThroughTek Kalay P2P SDK

This advisory contains mitigations for an Improper Access Control vulnerability in the ThroughTek Kalay P2P SDK software kit.

https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01

Advantech WebAccess/NMS

This advisory contains mitigations for an Improper Authentication vulnerability in Advantech WebAccess/NMS network management systems.

https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02

xArrow SCADA

This advisory contains mitigations for Cross-site Scripting, and Improper Input Validation vulnerability in the xArrow SCADA human-machine interface.

https://us-cert.cisa.gov/ics/advisories/icsa-21-229-03

QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten

https://www.cert-bund.de/advisoryshort/CB-K21-0885