Tageszusammenfassung - 25.08.2021

End-of-Day report

Timeframe: Dienstag 24-08-2021 18:00 - Mittwoch 25-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Medizin: Sicherheitslücken in Infusionspumpen entdeckt

Medizinische Infusionspumpen versorgen Patienten mit Medikamenten. Können Angreifer unbemerkt die Dosis manipulieren, kann das schwere Folgen haben.

https://www.golem.de/news/medizin-sicherheitsluecken-in-infusionspumpen-entdeckt-2108-159120-rss.html

Sicherheitsupdates: Netzwerk-Equipment von F5 für Attacken anfällig

F5 hat mehrere gefährliche Sicherheitslücken in verschiedenen BIG-IP Appliances geschlossen.

https://heise.de/-6174378

Gefahr durch alte Schwachstellen

Trend Micro fordert Unternehmen dazu auf, sich bei ihren Patching-Maßnahmen auf die Schwachstellen zu fokussieren, von denen das größte Risiko für ihr Unternehmen ausgeht - auch wenn diese schon mehrere Jahre alt sind. Rund ein Viertel der im cyberkriminellen Untergrund gehandelten Exploits sind über drei Jahre alt.

https://www.zdnet.de/88396365/gefahr-durch-alte-schwachstellen/

Vorsicht vor angeblicher Ärztin aus Afghanistan, die Ihre Wohnung kaufen will!

Haben Sie derzeit eine Immobilie im Internet inseriert? Dann sollten Sie sich einer vermeintlichen Interessentin aus Afghanistan in Acht nehmen. Eine angebliche Ärztin schreibt derzeit willkürlich Menschen an, die eine Wohnung inseriert haben und gibt vor nach Europa ziehen zu wollen. Als Grund gibt sie an, dass sie unter den Taliban nicht als Ärztin arbeiten kann. Achtung Betrug! Hier nutzen Kriminelle die Not der Bevölkerung in Afghanistan aus.

https://www.watchlist-internet.at/news/vorsicht-vor-angeblicher-aerztin-aus-afghanistan-die-ihre-wohnung-kaufen-will/

Ransomware gangs script shows exactly the files theyre after

A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/

FIN8 cybercrime gang backdoors US orgs with new Sardonic malware

A financially motivated cybercrime gang has breached and backdoored the network of a US financial organization with a new malware known dubbed Sardonic by Bitdefender researchers who first spotted it.

https://www.bleepingcomputer.com/news/security/fin8-cybercrime-gang-backdoors-us-orgs-with-new-sardonic-malware/

There may be (many) more SPF records than we might expect, (Wed, Aug 25th)

The Sender Policy Framework (SPF[1]) is a simple but fairly powerful mechanism that may be used (ideally in connection with DKIM[2] and DMARC[3]) to combat phishing to some degree. Basically, it allows a domain name owner to publish a special DNS TXT record containing a list of servers that are authorized to send e-mails for that domain.

https://isc.sans.edu/diary/rss/27786

7 Ways to Secure Magento 1

While unpatched installations of Magento 2 contain many vulnerabilities, I-m going to focus my attention on Magento 1 for this article. This is because Magento 2 provides regularly updated patches for many of the most common vulnerabilities targeting the platform. While Magento 1 also contains patches for many known vulnerabilities, those patches are not currently maintained. Magento 1 reached its end-of-support on June 30, 2020.

https://blog.sucuri.net/2021/08/securing-magento-1.html

RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate

As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.

https://www.riskiq.com/blog/external-threat-management/eitest-gootloader/

The SideWalk may be as dangerous as the CROSSWALK

Meet SparklingGoblin, a member of the Winnti family

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

CISA Releases Five Pulse Secure-Related MARs

As part of CISA-s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA-s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information.

https://us-cert.cisa.gov/ncas/current-activity/2021/08/24/cisa-releases-five-pulse-secure-related-mars

North Korean BLUELIGHT Special: InkySquid Deploys RokRAT

In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom malware family known as BLUELIGHT. This follow-up post describes findings from a recent investigation undertaken by Volexity in which the BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka DOGCALL).

https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/

Vulnerabilities

BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021

On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases: - QNX Software Development Platform (SDP) - 6.5.0SP1 and earlier - QNX OS for Medical - 1.1 and earlier - QNX OS for Safety - 1.0.1 and earlier A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS).

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL

Cisco NX-OS Software Python Parser Privilege Escalation Vulnerability

Update from August 25, 2021: Cisco found that this vulnerability was present in additional releases of Cisco NX-OS Software with the introduction of Python 3 support. For more information, see the Fixed Software section of this advisory.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-pyth-escal

VMSA-2021-0018

VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)

https://www.vmware.com/security/advisories/VMSA-2021-0018.html

Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the [...]

https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/

Nested Pages Patches Post Deletion Vulnerability

On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished [...]

https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability/

Security updates for Wednesday

Security updates have been issued by Debian (openssl), openSUSE (libspf2, openssl-1_0_0, and openssl-1_1), Oracle (libsndfile), SUSE (nodejs10, nodejs12, openssl, openssl-1_0_0, openssl-1_1, and openssl1), and Ubuntu (openssl).

https://lwn.net/Articles/867354/

Hitachi ABB Power Grids TropOS

This advisory contains mitigations for Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, and Improper Input Validation vulnerabilities in Hitachi ABB Power Grids TropOS firmware.

https://us-cert.cisa.gov/ics/advisories/icsa-21-236-01

Hitachi ABB Power Grids Utility Retail Operations and CSB Products

This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Retail Operations and Counterparty Settlement Billing (CSB) utility usage and billing software products.

https://us-cert.cisa.gov/ics/advisories/icsa-21-236-02

Delta Electronics TPEditor

This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in Delta Electronics TPEditor programming software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-236-03

Vembu BDR Full Disclosure

On 15 May 2021 we published case DIVD-2020-00011, which dealt with four vulnerabilities in Vembu BDR and related products. These four vulnerabilities here confidentially reported to Vembu in November 2020 and again in Februari 2021. Current status: From recent scan data we know that the three most damaging vulnerabilities have practically seized to be present on the internet, therefore we have decided to release the full technical details on these vulnerabilities.

https://csirt.divd.nl/2021/08/25/Vembu-BDR-Full-Disclosure/